chatkit-python
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): In
templates/chat_router.py, the application explicitly executesprint(f"GOOGLE_API_KEY: {GOOGLE_API_KEY}"). This action leaks the active Gemini API key into the process's standard output and log files, making it visible to anyone with log access or through log aggregation services. - [PROMPT_INJECTION] (LOW): In
templates/chat_router.py, theuser_idprovided in the HTTP request is directly concatenated into the system instructions for the LLM agent via thecreate_agentfunction. An attacker can manipulate theuser_idfield to inject system-level instructions or override assistant behavior. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection through external tool data.
- Ingestion points: Incoming
request.messagesand data returned from MCP tool calls intemplates/chat_router.py. - Boundary markers: Absent. User input and tool results are processed by the LLM without clear delimiters or 'ignore' instructions.
- Capability inventory: The agent can perform task management operations (add, list, update, delete) via the connected MCP server.
- Sanitization: Absent. Neither user-provided IDs nor message contents are validated or escaped before being interpolated into instructions or sent to the model.
Audit Metadata