logging-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines patterns for collecting and logging untrusted data from external sources, which creates a surface for Indirect Prompt Injection (Category 8). Maliciously crafted input in request bodies or headers could be logged and subsequently used to influence log analysis tools or the agent's own future context.
- Ingestion points: Data is ingested from request bodies (
c.req.json()) and headers (c.req.header('user-agent')) inrules/wide-events.mdandrules/structure.md. - Boundary markers: The code examples do not include boundary markers or delimiters to separate untrusted user data from system-generated metadata within the logs.
- Capability inventory: The skill facilitates 'write' capabilities to logging sinks (stdout, files, or cloud providers) via the
pinolibrary. - Sanitization: There is an absence of sanitization, masking, or validation logic in the examples, which may lead to the logging of sensitive PII (like emails) or executable injection strings.
Audit Metadata