registry  /  n8n-nodes-agent-langfuse  /  0.3.2

n8n-nodes-agent-langfuse@0.3.2

n8n AI Agent node with native Langfuse integration: tracing + prompt management

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an n8n community node that fetches Langfuse prompts and traces user-invoked AI-agent workflow executions.

Static reason
One or more suspicious static signals were detected.
Trigger
User installs the n8n community node and executes/configures the Agent Langfuse node in a workflow.
Impact
User workflow data and metadata may be sent to the configured Langfuse instance during explicit node execution; no unconsented install-time behavior found.
Mechanism
Langfuse prompt retrieval, LangChain agent execution, and Langfuse callback tracing
Rationale
Static inspection shows expected n8n Langfuse integration behavior with explicit runtime network calls and no install-time mutation, exfiltration beyond configured Langfuse tracing, persistence, destructive actions, or foreign AI-agent control-surface writes. Scanner secret/network hits are explained by credential definitions and package-aligned Langfuse API usage.
Evidence
package.jsondist/credentials/AgentLangfuseApi.credentials.jsdist/nodes/AgentLangfuse/AgentLangfuse.node.jsdist/nodes/AgentLangfuse/langfuse.jsdist/nodes/AgentLangfuse/execute.jsdist/nodes/AgentLangfuse/geminiSchema.js
Network endpoints3
cloud.langfuse.com/api/public/v2/prompts/api/public/projects

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime node fetches Langfuse prompts/projects and sends LangChain traces using user-supplied credentials in dist/nodes/AgentLangfuse/langfuse.js.
  • Agent execution can call connected n8n AI tools and LLMs when a workflow explicitly runs dist/nodes/AgentLangfuse/execute.js.
Evidence against
  • package.json has only prepublishOnly; no preinstall/install/postinstall hooks.
  • No child_process, eval, broad fs writes, persistence, native binary loading, or agent config mutation found.
  • Credentials file only defines n8n credential fields and Basic auth for Langfuse API test.
  • Network use is package-aligned: Langfuse prompt/project APIs and Langfuse tracing endpoint configured by credential URL.
  • Dynamic require in geminiSchema.js is limited to optional local zod-to-json-schema conversion.
  • README and node metadata match observed functionality.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 60.4 KB of source, external domains: cloud.langfuse.com, langfuse.com

Source & flagged code

1 flagged · loading source
dist/credentials/AgentLangfuseApi.credentials.jsView file
39patternName = generic_password severity = medium line = 39 matchedText = password...}}',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/credentials/AgentLangfuseApi.credentials.jsView on unpkg · L39

Findings

2 Medium3 Low
MediumSecret Patterndist/credentials/AgentLangfuseApi.credentials.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings