exploring-llm-traces
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing and displaying untrusted data from external AI traces.
- Ingestion points: The skill uses
posthog:query-llm-traceandposthog:query-llm-traces-listto fetch trace data, which includes external LLM inputs, outputs, and system prompts. This data is then read by the scripts in thescripts/directory. - Boundary markers: The trace content is printed by the parsing scripts and interpreted by the agent without explicit boundary delimiters or warnings to ignore embedded instructions.
- Capability inventory: The agent is authorized to execute shell commands (to run the provided Python scripts) and can perform arbitrary database queries via the
posthog:execute-sqltool. - Sanitization: The provided Python scripts (e.g.,
extract_conversation.py) include logic to truncate long strings for display purposes but do not perform security-focused sanitization or escaping of the retrieved content.
Audit Metadata