ClawHub

Langfuse Bridge

Security checks across malware telemetry and agentic risk

Overview

This plugin is a disclosed Langfuse telemetry bridge, but it reads local session transcripts to export prompt and response text that OpenClaw does not provide to third-party plugins.

Install only if you are comfortable sending OpenClaw prompts, responses, session IDs, usage/cost data, provider metadata, and error metadata to your configured Langfuse host. Treat this as a Review item because content export is sensitive and there is no artifact-backed redaction or metadata-only switch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code deliberately bypasses the platform's privacy boundary by reading per-session transcript files to recover prompt and response content that OpenClaw explicitly does not expose to third-party plugins. That can exfiltrate sensitive user prompts, model outputs, secrets, or regulated data to external telemetry systems, defeating the user's and platform's privacy expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the plugin forwards model usage, cost, and may best-effort recover prompt/response text from session trajectory transcripts for transmission to Langfuse, but it does not prominently warn about the privacy and data export implications. This can lead operators to enable the plugin without realizing that potentially sensitive prompts, responses, and metadata are being sent to a third-party service and reconstructed from local transcripts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This plugin subscribes to internal diagnostic events and forwards model usage data to an external Langfuse endpoint, and the comments explicitly state it also attempts to recover prompt/response text from per-session transcripts under ctx.stateDir to populate generation input/output. Even if the public diagnostic stream omits private data, reconstructing and exporting transcript content can expose sensitive prompts, responses, or user data to a third party without any explicit consent gate, redaction, or user-facing warning in this file.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code forwards model inputs, outputs, session identifiers, provider metadata, and error details to Langfuse telemetry without any visible consent gate, redaction step, or policy check. If diagnostic content contains prompts, user data, secrets, or regulated information, it can be exfiltrated to an external observability system and retained there, creating a real privacy and data-handling risk.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The manifest description says it forwards model usage diagnostics to Langfuse and the plugin is configured to start automatically, but there is no indication of user consent, opt-in, or a disable-by-default control. That creates a privacy and data-governance risk because telemetry may be sent externally as soon as the host starts, potentially including sensitive usage metadata depending on runtime behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code captures prompt and response content from private session transcripts and returns it for downstream use without any visible consent, warning, or transparency mechanism in this file. Even if intended for observability, silent collection of conversational content creates a privacy and compliance risk because users may not know their data is being harvested and forwarded.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal