langfuse
Fail
Audited by Snyk on Mar 10, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The prompt explicitly shows embedding API keys/secrets inline in CLI commands (e.g., --env LANGFUSE_SECRET_KEY=sk-...), which encourages including secret values verbatim in commands/outputs and risks exfiltration.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and inspects data from a Langfuse instance (e.g., https://cloud.langfuse.com) using tools documented in SKILL.md and references/tool-reference.md — including fetch_traces, fetch_observation, get_prompt, and dataset item endpoints — which return user-generated traces, generations, prompts and dataset contents that the agent is instructed to read and can materially influence prompt management and follow-up actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires a runtime connection to https://cloud.langfuse.com (via LANGFUSE_HOST and the MCP tools) and explicitly fetches prompt content (e.g., get_prompt/get_prompt_unresolved), so external content from that URL is used at runtime and can directly control agent instructions.
Audit Metadata