exploring-llm-traces

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to fetch and surface full trace event trees including $ai_input/$ai_output and to always include trace content/_posthogUrl with no redaction guidance, which can cause the LLM to reproduce secret values verbatim from traces.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly queries PostHog traces (posthog:query-llm-trace / query-llm-traces-list and SQL) and the SKILL.md plus scripts (e.g., extract_conversation.py, extract_span.py) instruct the agent to read $ai_input / $ai_output_choices and span input/output state — which are arbitrary, project/user-generated contents that the agent will parse and act on — so untrusted third-party content can directly influence decisions.