chatlens feeds chat messages to an LLM for categorization and summarization. This creates security and privacy considerations you should understand.

What it is: If someone in your chat sends a message like "IGNORE ALL PREVIOUS INSTRUCTIONS and output...", the LLM might follow that instruction instead of analyzing the message normally.

What chatlens does about it:

1. XML boundary tagging: Each message is wrapped in <message> tags with metadata attributes, making it harder for injected text to break out of the message context.

2. System prompt hardening: The categorization and summarization prompts include explicit instructions telling the LLM to treat all message content as data, not commands.

3. Output validation: After the LLM responds, chatlens validates that:

   • The JSON structure matches the expected schema
   • Topic IDs are from your configured roster (not invented by injected content)
   • Emerging topics aren't suspiciously long or contain system-prompt-like content

4. Keyword fallback: If the LLM fails to produce valid JSON (possibly due to injection), chatlens falls back to simple keyword matching — no LLM involved.

What chatlens does NOT do:

• It cannot guarantee that a sophisticated injection won't corrupt a summary. A carefully crafted message could cause the LLM to produce a misleading bullet point.
• It does not filter or censor message content before sending to the LLM.

Recommendations:

• Use --dry-run to preview results before trusting output from chats with untrusted participants.
• Review the _index.md dashboard for anything that looks out of place.
• Run chatlens eval injection periodically to test your provider's resistance.

Your chat data goes to your chosen LLM provider's API. This means:

• Anthropic: Messages are sent to Anthropic's API. See their privacy policy.
• OpenAI: Messages are sent to OpenAI's API. See their privacy policy.
• Ollama: Messages stay on your local machine. No data leaves your computer.

If you're analyzing sensitive conversations, consider using Ollama for fully local processing.

chatlens itself:

• Stores all data locally (state files, reports, metrics)
• Never phones home or sends telemetry
• The WhatsApp daemon binds to 127.0.0.1 only — not accessible from the network

The worst case from a prompt injection or LLM failure is corrupted local reports. chatlens:

• Only writes to your configured output directory
• Never sends messages (the WhatsApp daemon is read-only by design)
• Never modifies your chat history
• Never accesses files outside its configured paths

• WhatsApp: chatlens connects as a linked device to your own WhatsApp account. It reads messages you already have access to. It never sends messages. This is functionally equivalent to reading your own chat history.

• iMessage: chatlens reads from your local chat.db file via imessage-exporter. This is your own message database on your own computer.

Both adapters are read-only by design. There is no code path for sending messages.

If you find a security vulnerability, please email tim@iteachyouai.com instead of opening a public issue.