ClawHub

LangSmith CLI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LangSmith trace-analysis CLI, but users should treat its trace output as potentially sensitive.

Install only if you intend for your agent and terminal session to inspect LangSmith traces. Use a least-privilege LangSmith API key, keep project/time-window limits narrow, avoid running it in shared logs or transcripts, and prefer session-only environment variables or a secret manager over putting the key in ~/.zshrc.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares sensitive capabilities in metadata requirements (environment secret access and outbound network use) but does not present an explicit permission model in the skill definition. That creates a governance gap: users or orchestrators may invoke a networked, secret-consuming skill without clear consent boundaries, increasing the chance of unintended secret use or data egress.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The prompt-diff command retrieves arbitrary runs by ID and prints system prompts and outputs verbatim, which can expose secrets, internal instructions, PII, or proprietary prompt logic contained in trace data. In the context of a trace-analysis skill, access to prompts/outputs is plausible, but the unrestricted raw disclosure makes this more dangerous because LangSmith traces often contain sensitive application and user content.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough to match ordinary troubleshooting or analysis requests, which can cause the skill to activate unexpectedly. Because the skill can access an API key and fetch trace data, accidental invocation could expose sensitive operational data to the agent context when the user did not clearly intend to use LangSmith.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The ask and replay flows print trace-derived inputs, outputs, and metadata directly to stdout without warning or redaction. Because observability traces commonly contain API keys, user data, prompts, and model outputs, this can lead to unintended disclosure in terminals, logs, transcripts, or downstream agent context.

Session Persistence

Medium
Category
Rogue Agent
Content
## Auth Setup
```bash
export LANGSMITH_API_KEY=<your-key>
# or add to ~/.zshrc
```

Test with: `python3 scripts/langsmith.py runs <project> --limit 3`
Confidence
88% confidence
Finding
add to ~/.zshrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal