exploring-llm-traces

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to fetch and surface full trace event trees including $ai_input/$ai_output and to always include trace content/_posthogUrl with no redaction guidance, which can cause the LLM to reproduce secret values verbatim from traces.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and scripts explicitly instruct the agent to call posthog:query-llm-trace / query-llm-traces-list to fetch PostHog trace data and to read properties like $ai_input, $ai_input_state and $ai_output_state (which "can be very large" and contain full conversation histories/system prompts), meaning the agent ingests arbitrary user-generated trace content from a third-party analytics system and uses it to drive analysis and next actions—creating a clear path for indirect prompt injection.