langfuse

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs users to store sensitive API keys (including a secret key starting with sk-) in local configuration files like .mcp.json or ~/.codex/config.toml.
  • Evidence: SKILL.md and references/setup.md describe adding LANGFUSE_SECRET_KEY to environment variables in MCP configurations.
  • Mitigation: The skill correctly advises adding .mcp.json to .gitignore and rotating keys if leaked.
  • [EXTERNAL_DOWNLOADS]: The skill uses uvx to download and execute the langfuse-mcp package from external registries during setup.
  • Evidence: SKILL.md contains commands such as uvx langfuse-mcp for installation and execution.
  • [DATA_EXFILTRATION]: The skill is designed to transmit data (traces, observations, and metadata) to the Langfuse service (defaulting to cloud.langfuse.com). While this is the intended functionality, users should be aware of the data being shared.
  • Evidence: SKILL.md and references/tool-reference.md document tools for fetching and sending data to the remote observability platform.
  • [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection as it retrieves data from previous LLM interactions (traces and observations) which could contain malicious instructions.
  • Ingestion points: references/tool-reference.md (tools like fetch_trace, fetch_observation, and get_exception_details).
  • Boundary markers: Absent; the instructions do not include specific delimiters or warnings for the agent to ignore instructions embedded in the retrieved traces.
  • Capability inventory: SKILL.md (execution of the langfuse-mcp tool via uvx, file system write capability via output_mode="full_json_file").
  • Sanitization: No explicit sanitization or filtering of trace content is mentioned in the skill documentation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 02:37 AM
Security Audit — agent-trust-hub — langfuse