The Agent Skills Directory

[DATA_EXFILTRATION]: The skill directs the agent to read sensitive credentials from the project's .env file using shell commands like grep and cut. Specifically, it extracts LANGFUSE_PUBLIC_KEY and LANGFUSE_SECRET_KEY. While necessary for API authentication, accessing .env files is a sensitive operation that can lead to credential exposure if the agent's context is compromised.
[COMMAND_EXECUTION]: The skill heavily relies on the Bash tool to execute curl commands for API interaction. These commands dynamically interpolate credentials read from the filesystem, which is a potential vector for command injection if the environment variables contain malicious content.
[EXTERNAL_DOWNLOADS]: The REFERENCE.md file recommends the installation of third-party, community-maintained MCP servers from unknown sources (e.g., GitHub users avivsinai and therealsachin). Commands like pip install langfuse-mcp and npx @therealsachin/langfuse-mcp involve downloading and executing code from unverifiable repositories.
[PROMPT_INJECTION]: The skill retrieves and processes LLM observability data (traces and observations) which contains untrusted input and output from other sessions. This creates a surface for indirect prompt injection where an attacker could influence the agent by placing instructions within the logged data.
Ingestion points: Data fetched from /api/public/traces and /api/public/observations as documented in SKILL.md and REFERENCE.md.
Boundary markers: None identified; the instructions do not suggest wrapping external data in delimiters or warnings to ignore embedded instructions.
Capability inventory: The skill uses Bash and WebFetch to retrieve data and has the capability to write to the console or other tools.
Sanitization: Use of jq provides structural parsing, but there is no evidence of content-level sanitization or escaping of the LLM inputs/outputs before they are processed by the agent.

langfuse