langfuse-model-upsert
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes
npx tsxto execute its logic. This triggers a dynamic download of thetsxpackage from the npm registry if not already cached. Unversionednpxcalls are susceptible to package squatting or breaking changes in the fetched dependency. - [REMOTE_CODE_EXECUTION] (MEDIUM): By using
npxto run a local script, the skill introduces a runtime dependency on external package repositories. While the script itself is local, the execution environment is constructed dynamically, which is a common vector for supply chain attacks. - [COMMAND_EXECUTION] (MEDIUM): The script executes destructive API calls (DELETE) and state-changing POST requests. These operations use parameters like
<model-name>and<pattern>which are provided by the agent. If the agent processes untrusted data to determine these parameters, it could be coerced into deleting or misconfiguring Langfuse model definitions. - [DATA_EXFILTRATION] (LOW): The script reads
LANGFUSE_SECRET_KEYand sends it to the configuredLANGFUSE_HOST. While necessary for the skill's function, the host is configurable via environment variables, presenting a minor risk if the environment is misconfigured or controlled by an adversary. - [PROMPT_INJECTION] (MEDIUM): This finding relates to Category 8 (Indirect Prompt Injection).
- Ingestion points: CLI arguments
<model-name>and--patterninSKILL.md. - Boundary markers: Absent. Arguments are interpolated directly into the Bash command.
- Capability inventory: Network
fetch(GET, POST, DELETE) used to modify external observability state. - Sanitization: Limited. Prices are parsed as floats, but the model name and regex pattern are used directly in API payloads, allowing for broad model matching or deletion if an attacker-controlled string is processed by the agent.
Audit Metadata