langfuse-prompt-view
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to fetch and display prompt content from an external API (Langfuse).
- Ingestion points: The
data.promptfield returned by the Langfuse API is printed directly to the console inscripts/langfuse-prompt-view.ts. - Boundary markers: No delimiters or instructions are provided to the agent to ignore any natural language instructions contained within the fetched prompt content.
- Capability inventory: The skill uses
npx tsxto execute TypeScript code via Bash, providing a vector for command execution if the agent is manipulated by injected instructions. - Sanitization: No sanitization or filtering is performed on the content retrieved from the external source.
- Credential Exposure (HIGH): The script transmits sensitive credentials (
LANGFUSE_SECRET_KEY) via Basic Authentication. - Evidence: In
scripts/langfuse-prompt-view.ts, theAuthorizationheader is constructed using environment variables and sent toLANGFUSE_HOST. - Risk: Since
LANGFUSE_HOST(orLANGFUSE_BASE_URL) is configurable via environment variables, an attacker who can influence the environment can redirect these credentials to a malicious server. - Command Execution & Remote Dependency (MEDIUM): The skill relies on
npxto execute the tool. - Evidence:
SKILL.mddefines the tool asnpx tsx *scripts/langfuse-prompt-view.ts*. - Risk: This involves the runtime download and execution of the
tsxpackage from the npm registry. Whiletsxis a common utility, usingnpxintroduces a dependency on external registries and potential for version-shifting or package hijacking.
Recommendations
- AI detected serious security threats
Audit Metadata