langsmith-fetch

[Skill Scanner] Installation of third-party script detected This is a benign instructional skill that tells an agent how to use the langsmith-fetch CLI to fetch and analyze traces from LangSmith Studio. There is no evidence of malware or code-level backdoors in the provided document. The main security concerns are operational: exported traces often contain sensitive user data, API call payloads, or credentials; the skill encourages writing API keys into shell profile files and sharing exported trace folders without explicit warnings. Recommend: (1) warn users that traces may contain PII/secrets, (2) advise sanitizing/redacting traces before sharing, (3) recommend using secrets managers or restricted-permission files rather than echoing keys into ~/.bashrc, and (4) verify the provenance of the langsmith-fetch CLI (review its source on GitHub/PyPI) before installation. LLM verification: No direct malicious code is present in this documentation skill file. The functionality and requested credentials are consistent with its stated purpose (fetching/analyzing LangSmith traces). However, there are supply-chain and operational risks: an unpinned third-party pip install (langsmith-fetch) increases dependency/supply-chain risk, and the workflows encourage writing and sharing raw trace data and echoing API keys, which can leak sensitive information. Overall: not malicious, but moderate