signal-history-search

The fragment describes a utility that could legitimately search local Signal messages by querying an encrypted SQLite database. However, it raises privacy concerns (access to private messages) and supply-chain risks (npx install from potentially untrusted sources). There is no evidence of malicious code in the fragment itself, but misconfiguration or weak provenance controls could enable privacy leakage or supply-chain tampering. Recommend validating the skill’s provenance, implementing strict integrity verification (e.g., signed packages, hash checks), and enforcing least-privilege, local-only processing with opt-in exports and clear user consent.