langfuse-observability
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill functions by retrieving and displaying raw LLM traces, which inherently contain untrusted data.
- Ingestion points:
scripts/fetch-trace.ts,scripts/fetch-traces.ts, andscripts/list-prompts.tsall output raw string data from the Langfuse API. - Boundary markers: Absent. The JSON output does not wrap LLM-generated content in delimiters or provide 'ignore embedded instructions' warnings.
- Capability inventory: While the skill scripts are read-only, the agent environment likely includes file-system or command-execution capabilities that could be targeted by instructions found inside a trace.
- Sanitization: None. The scripts perform direct JSON serialization of API responses without filtering or escaping content.
- [CREDENTIALS_UNSAFE] (SAFE): The skill correctly requires
LANGFUSE_SECRET_KEYandLANGFUSE_PUBLIC_KEYto be provided via environment variables. No hardcoded secrets were found in the scripts or documentation. - [EXTERNAL_DOWNLOADS] (SAFE): Dependencies are limited to the official
langfuseSDK and standard TypeScript development tools (tsx,typescript). These are well-known packages from a standard registry. - [COMMAND_EXECUTION] (SAFE): The scripts use
process.argvfor parameters liketrace-idorlimit. These values are passed as typed arguments to the Langfuse SDK and are not executed as shell commands.
Audit Metadata