langfuse
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs users to store sensitive API keys (including a secret key starting with
sk-) in local configuration files like.mcp.jsonor~/.codex/config.toml. - Evidence:
SKILL.mdandreferences/setup.mddescribe addingLANGFUSE_SECRET_KEYto environment variables in MCP configurations. - Mitigation: The skill correctly advises adding
.mcp.jsonto.gitignoreand rotating keys if leaked. - [EXTERNAL_DOWNLOADS]: The skill uses
uvxto download and execute thelangfuse-mcppackage from external registries during setup. - Evidence:
SKILL.mdcontains commands such asuvx langfuse-mcpfor installation and execution. - [DATA_EXFILTRATION]: The skill is designed to transmit data (traces, observations, and metadata) to the Langfuse service (defaulting to
cloud.langfuse.com). While this is the intended functionality, users should be aware of the data being shared. - Evidence:
SKILL.mdandreferences/tool-reference.mddocument tools for fetching and sending data to the remote observability platform. - [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection as it retrieves data from previous LLM interactions (traces and observations) which could contain malicious instructions.
- Ingestion points:
references/tool-reference.md(tools likefetch_trace,fetch_observation, andget_exception_details). - Boundary markers: Absent; the instructions do not include specific delimiters or warnings for the agent to ignore instructions embedded in the retrieved traces.
- Capability inventory:
SKILL.md(execution of thelangfuse-mcptool viauvx, file system write capability viaoutput_mode="full_json_file"). - Sanitization: No explicit sanitization or filtering of trace content is mentioned in the skill documentation.
Audit Metadata