Skills
skills/avivsinai/langfuse-mcp/langfuse/Gen Agent Trust Hub

langfuse

Pass

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection vulnerabilities. It ingests data from Langfuse traces and observations which contain untrusted inputs and outputs from external user interactions. An attacker could embed malicious instructions in these traces that the agent might follow when retrieving them.
  • Ingestion points: The fetch_trace, fetch_observation, and get_exception_details tools in references/tool-reference.md read data from the external Langfuse platform.
  • Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent treats retrieved trace content as data rather than instructions.
  • Capability inventory: The skill has the ability to modify production-level assets through create_text_prompt, update_prompt_labels, and create_dataset_item as described in SKILL.md.
  • Sanitization: Absent. Content retrieved from external traces is interpolated directly into the agent's context without filtering.
  • [EXTERNAL_DOWNLOADS]: The setup instructions in SKILL.md and references/setup.md direct the user to download and execute the langfuse-mcp package from the PyPI registry using the uvx tool. While PyPI is a standard registry, this involves the execution of third-party code.
  • [COMMAND_EXECUTION]: The skill requires the user to execute shell commands to configure the MCP environment, which includes setting sensitive environment variables (LANGFUSE_SECRET_KEY) and defining the runtime arguments for the server.
Audit Metadata
Risk Level
SAFE
Analyzed
May 6, 2026, 06:16 PM