langfuse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs users to obtain API keys and shows commands that embed those keys directly in CLI environment flags (e.g., --env LANGFUSE_SECRET_KEY=sk-...), which requires or encourages including secret values verbatim in generated commands or outputs, an explicit exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and displays user-generated/untrusted content from a third-party Langfuse instance (e.g., cloud.langfuse.com) via tools like fetch_traces/fetch_trace/fetch_observation, get_prompt, and list_dataset_items (see SKILL.md and references/tool-reference.md), and that content is read and used to guide investigations and prompt/dataset management (create_text_prompt, update_prompt_labels), so third-party content could indirectly inject instructions that change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill configures LANGFUSE_HOST to https://cloud.langfuse.com and calls Langfuse APIs such as get_prompt which fetch prompt content at runtime (thereby directly controlling agent prompts), and the skill depends on that external host for required functionality.