langsmith-fetch
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill documentation refers to 'langsmith-fetch' as a project dependency. This is an external package that does not belong to the list of trusted repositories or organizations. \n- [COMMAND_EXECUTION] (SAFE): The skill uses 'uv run' to execute the CLI tool. This is a standard execution method for Python-based utilities and does not present an inherent security risk beyond the dependency itself. \n- [PROMPT_INJECTION] (LOW): The skill has a surface for indirect prompt injection as it ingests external LangSmith traces. \n
- Ingestion points: Trace data fetched from the LangSmith API and saved locally in ./traces or ./debug. \n
- Boundary markers: Absent; there are no instructions to use delimiters or ignore instructions found within the trace data. \n
- Capability inventory: Execution of subprocesses via 'uv run'. \n
- Sanitization: None; the trace content is processed in raw or JSON formats without escaping or validation.
Audit Metadata