Skills
skills/langfuse/skills/langfuse-cli/Snyk

langfuse-cli

Fail

Audited by Snyk on Feb 14, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt tells the agent to ask the user for their API keys and shows examples of exporting secret keys (LANGFUSE_SECRET_KEY=sk-lf-...), which means the agent may receive and be expected to embed or echo secret values verbatim in commands or instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). This skill fetches and instructs the agent to read public Langfuse documentation and search results (via https://langfuse.com/llms.txt, individual https://langfuse.com/docs pages, and the https://langfuse.com/api/search-docs endpoint) which explicitly indexes GitHub Issues/Discussions (user-generated content), so the agent would consume untrusted third‑party content as part of its workflow.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 14, 2026, 08:21 AM