logging-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGH
Full Analysis
- Category 1: Prompt Injection (SAFE): No instructions were found that attempt to override agent behavior, bypass safety filters, or extract system prompts.
- Category 2: Data Exposure (INFO): The code snippets demonstrate logging environment variables (e.g.,
COMMIT_SHA,AWS_REGION) and business context (e.g.,user.id). While standard for observability, users should ensure secrets are not inadvertently stored in these environment variables. - Category 4: Dependencies (SAFE): The skill mentions 'pino', which is a standard and trusted Node.js logging library. No suspicious or unversioned remote downloads were found.
- Category 8: Indirect Prompt Injection (INFO): The skill describes patterns for ingesting untrusted request data (headers, request bodies) into log events. This is an inherent surface for logging tools, but since the capability is restricted to display/logging (no write or decision-making), it represents negligible risk.
- Scanner False Positive: The URLite alert for 'logger.info' is a false positive. The scanner likely misinterpreted the '.info' TLD or a specific signature; the string is a standard programming method call.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata