Skills
skills/moonming/a6/a6-plugin-http-logger/Gen Agent Trust Hub

a6-plugin-http-logger

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill facilitates the transmission of system and traffic logs to external URIs. Captured data includes client IP addresses, request/response headers, and potentially full request/response bodies if explicitly enabled in the configuration.
  • [COMMAND_EXECUTION]: The skill utilizes the a6 command-line utility for gateway management tasks, including a6 route create, a6 route update, and a6 config sync. These commands are used to apply the logger configurations to the APISIX instance.
  • [CREDENTIALS_UNSAFE]: Examples within the documentation demonstrate the use of the auth_header field with truncated hardcoded Bearer tokens (e.g., eyJhbGciOiJIUzI1NiIs...). These serve as instructional placeholders for configuring endpoint authentication.
  • [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by capturing and exporting untrusted user data (headers and bodies) to external logging backends.
  • Ingestion points: Request and response bodies, headers, and URI parameters are captured via NGINX variables (SKILL.md).
  • Boundary markers: None are defined in the provided configuration examples to delimit untrusted content from log metadata.
  • Capability inventory: The skill uses the a6 CLI to synchronize configurations and create routes (SKILL.md).
  • Sanitization: No evidence of data sanitization or escaping of the captured log content is provided in the configuration examples.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 02:58 PM