signal-history-search
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill is designed to extract the Signal encryption key from the macOS Keychain (
Signal Safe Storage) and read the contents of the local Signal SQLite database. This exposes the user's entire private message history to the AI agent's context. While the skill claims data stays local, the agent itself becomes a potential exfiltration vector if it has other capabilities (e.g., internet access or file writing). - Indirect Prompt Injection (HIGH): The skill ingests untrusted data (private messages from external contacts) into the agent's reasoning loop.
- Ingestion points: Signal
messagesandconversationstables. - Boundary markers: None detected in the skill description; messages are dumped directly into context.
- Capability inventory: Keychain access via
security, shell execution vianix-shell, and raw database access. - Sanitization: None provided. A malicious Signal message could contain 'hidden' instructions to override the agent's system prompt.
- Command Execution (MEDIUM): The skill executes shell commands (
security find-generic-password) to access the system keychain and utilizesnix-shellfor environment setup. This bypasses standard application sandboxing to access sensitive secrets. - External Downloads (MEDIUM): The skill relies on
nix-shellto dynamically fetch and build the Python environment and SQLCipher bindings at runtime. This introduces a dependency on external, unversioned package sources that are retrieved during the first run.
Recommendations
- AI detected serious security threats
Audit Metadata