Only the latest main branch and latest published ZIP are supported with security fixes.
If you find a security issue in Chatologist, please do not open a public issue with exploit details or private data.
Use GitHub private vulnerability reporting if available:
https://github.com/mo5029/chatologist/security/advisories/new
If that is unavailable, open a minimal public issue saying you need a private security contact, without including the vulnerability details.
Chatologist has no telemetry. No analytics, no crash reporting, no phone-home, no accounts, no API keys collected, and no Chatologist backend.
Chatologist is designed for local analysis of user-provided exports:
- It does not log into ChatGPT, Claude, or any other account.
- It does not scrape browser sidebars, account pages, or live chats.
- It reads only the export path you pass with
--input. - It writes outputs only to the output directory you choose.
- It is stdlib-only and does not require package installation.
After you have cloned or downloaded the repo, the analysis scripts are local-only. The scripts do not call HTTP APIs, upload files, or fetch remote resources.
Typical runtime command:
python3 scripts/run_pipeline.py \
--input /path/to/export.zip \
--output-dir audit_output \
--audit-request "Audit how I use AI"Data flow:
user export on disk -> local Python scripts -> local output directory
Nothing is uploaded by Chatologist.
Network activity can happen only when the user chooses a network-based install or export path:
git cloneor GitHub ZIP download fetches this repository.- ChatGPT or Claude export downloads happen through the vendor's official export flow, outside Chatologist.
- Badge images in
README.mdload from shields.io when GitHub renders the page.
The runtime audit pipeline itself is local.
The following can contain private or sensitive content and should not be committed or shared without review:
- raw export ZIPs or extracted exports;
audit_output/;tmp/;raw_exports/;private_exports/;- normalized message CSV, JSONL, or SQLite files;
- label files;
- evidence tables and reports.
The default .gitignore excludes common private export and output paths, but you are still responsible for reviewing outputs before sharing them.
AI chat exports can contain:
- personal health details;
- names, emails, and phone numbers;
- credentials or API keys;
- file paths;
- proprietary code;
- legal, financial, or employment information;
- third-party private information.
Run the privacy scanner before sharing outputs:
python3 scripts/privacy_scan.py \
--path audit_output \
--output-dir audit_output/privacyThe scanner is a convenience check, not a guarantee. Human review is still required before publishing evidence tables or reports.
Static scanners may flag Chatologist because it:
- reads local files supplied by the user;
- writes CSV, JSONL, SQLite, and Markdown outputs;
- parses ZIP files;
- can process sensitive text if the user supplies sensitive exports.
These are expected capabilities for a local audit tool. They are not hidden network or telemetry behavior.