技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 183 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:aiwithabidi/langfuse-observability
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The code and instructions mostly match an observability/tracing purpose, but the skill omits dependency and environment declarations and embeds default secret keys/host values — those mismatches and the presence of hard-coded credentials are concerning.
目的
The skill's name/description (Langfuse observability) matches the provided code (trace_llm, trace_api, trace_tool, etc.). However the registry metadata declares no required env vars or dependencies while the code relies on LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, LANGFUSE_HOST and the Langfuse Python SDK. The defaults in code (http://langfuse-web:3000 and hard-coded keys) are baked in rather than declared, which is inconsistent and risky.
说明范围
SKILL.md directs agents to import the bundled scripts and use tracing functions — that stays within the stated purpose. But the documentation does not mention the required langfuse SDK dependency or the critical environment variables, nor does it warn that traces may include prompts/completions (which can contain sensitive data) or that the endpoint/keys default to embedded values. The runtime instructions rely on network calls to LANGFUSE_HOS…
安装机制
This is an instruction-only skill with included Python scripts (no install spec). That is low-risk in terms of arbitrary network install, but it is incomplete: the package requires the Langfuse Python SDK (from 'from langfuse import Langfuse') which is not declared. Without installing that dependency the skill will fail. The absence of a declared install step for the SDK is a mismatch.
证书
The registry claims no required env vars, yet the code reads LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, LANGFUSE_HOST, and LANGFUSE_USER_ID. Critically, default values include what appear to be hard-coded public and secret keys in the source. Hard-coded secrets in a skill are inappropriate: they may be stale, invalid, or (if valid) leak privileged credentials. Requesting endpoint and creds is expected for a tracing integration, but they must be…
持久
The skill does not request permanent 'always: true' presence, does not modify other skills, and does not contain an install that writes binaries to system paths. Its privilege model is the platform default (user-invocable and agent-invocable). Note: because the code can send data to LANGFUSE_HOST, autonomous invocation combined with misconfigured credentials/endpoints would increase blast radius — but autonomous invocation alone is normal.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Langfuse Observability」。简介:Provides automatic tracing, logging, cost tracking, and health monitoring for O…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/aiwithabidi/langfuse-observability/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。