langfuse-cli
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external data from the Langfuse website and search API which could contain malicious instructions targeting the agent.
- Ingestion points: Fetches documentation via
https://langfuse.com/llms.txtandhttps://langfuse.com/docs/...(SKILL.md lines 53, 62), and queries a search API athttps://langfuse.com/api/search-docs(SKILL.md line 73). - Boundary markers: Absent. The instructions do not command the agent to ignore instructions embedded within the fetched documentation or search results.
- Capability inventory: The skill provides the agent with full programmatic access to the Langfuse API via
npx langfuse-cli, including the ability to create prompts, datasets, and scores (references/cli.md). - Sanitization: Absent. There is no evidence of sanitization or validation of the content returned from the external URLs before it is processed by the agent.
- Unverifiable Dependencies (MEDIUM): The skill utilizes
npxto download and execute thelangfuse-clipackage from the npm registry at runtime. - Evidence: Found in SKILL.md (line 17) and references/cli.md (line 5). While Langfuse is a known entity, the execution of unversioned packages from a public registry represents a supply-chain risk.
- Command Execution (LOW): The skill relies on executing shell commands (
npx,curl) to perform its core functions. While expected for a CLI-based skill, this capability provides the mechanism for exploitation if the agent is successfully manipulated via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata