Back to plugin

Security audit

oh-my-langfuse

Security checks across malware telemetry and agentic risk

Overview

The plugin’s Langfuse tracing and prompt features are mostly disclosed, but the packaged code shows a hardcoded secret-looking key and broad automatic trace/session export that users should review before installing.

Install only if you trust the publisher and the configured Langfuse destination. Before enabling it, inspect the bundle for the flagged secret, confirm what trace data is sent and redacted, use a trusted or self-hosted Langfuse instance for sensitive work, and be careful with prompt rules that replace system prompts.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.mjs:4060
Evidence
secretKey: [REDACTED],

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/index.mjs:4623
Evidence
raw = fs2.readFileSync(sessionFile, "utf-8");