Chat Logger

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed chat logger, but it stores private messages and can expose all users' logs without clear access controls.

Only install this in an environment where all affected users know direct messages may be logged. Before production use, require explicit consent, restrict global summaries to authorized admins, make "my records" return only the requester's own logs, use exact command matching, and add retention/deletion controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly describes persistent file reads/writes under memory/chat-logs but declares no permissions, creating a capability-transparency gap. That makes review, sandboxing, and consent enforcement weaker because the agent/operator may not realize the skill stores and later reads conversational data from disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill claims strict exact-match triggers and no main-agent handling, yet the documented behavior includes automatic hooks, broader substring-based query triggering, and side-effect logging during queries. This mismatch is dangerous because operators may trust the narrow stated behavior while the actual behavior captures more messages and exposes logs under broader conditions than expected.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The handler accepts broad substring matches such as any message containing "chatlog" rather than enforcing the manifest's documented exact-match trigger rules. This expands activation beyond user expectation and can expose sensitive logging and summary functions unintentionally, especially when paired with privileged data access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill persistently records non-query direct messages but does not provide a clear end-user warning or consent notice in proportion to the data collection. This creates a privacy vulnerability because users may disclose sensitive information believing they are in a normal chat, while their messages are silently retained and later surfaced in summaries.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill creates a persistent local store for chat logs and is designed to write user messages automatically, but there is no visible notice, consent flow, or retention control. Silent persistence of conversational content is a privacy vulnerability because users may disclose sensitive data without knowing it is being archived.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The Hook captures and stores direct-message content automatically on receipt, without any authorization, notice, or user action. This is more dangerous than manual logging because it enables pervasive background collection of private conversations and scales across all incoming direct messages.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill is designed to automatically log user conversations and generate whole-log summaries, which creates a direct natural-language exfiltration path for sensitive data. In this context, the danger is elevated because the stored content may include private conversations across users/channels and the summary interfaces appear to allow broad retrieval beyond the minimum necessary scope.

Ssd 3

High

Confidence: 88% confidence
Finding: The skill stores raw user messages in plain text, organized by channel and user, creating a persistent repository of potentially sensitive communications. In this context, a chat-logging skill handling private Feishu/DingTalk conversations is especially dangerous because the data is highly likely to contain personal, business, or credential-like information.

Ssd 3

High

Confidence: 97% confidence
Finding: The global summary function aggregates all users' activity and excerpts message contents across channels and dates, then returns them in response form. This is an unauthorized cross-user data exposure path because it reveals both metadata and message content far beyond the requesting user's own records.

Ssd 3

High

Confidence: 99% confidence
Finding: A simple natural-language query containing "chatlog" can trigger return of the full chat log summary, and there are no visible authorization checks tied to requester identity or role. This makes mass disclosure of all recorded users' messages and activity trivial once the skill is reachable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal