AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an n8n community node that fetches Langfuse prompts and traces user-invoked AI-agent workflow executions.
Static reason
One or more suspicious static signals were detected.
Trigger
User installs the n8n community node and executes/configures the Agent Langfuse node in a workflow.
Impact
User workflow data and metadata may be sent to the configured Langfuse instance during explicit node execution; no unconsented install-time behavior found.
Mechanism
Langfuse prompt retrieval, LangChain agent execution, and Langfuse callback tracing
Rationale
Static inspection shows expected n8n Langfuse integration behavior with explicit runtime network calls and no install-time mutation, exfiltration beyond configured Langfuse tracing, persistence, destructive actions, or foreign AI-agent control-surface writes. Scanner secret/network hits are explained by credential definitions and package-aligned Langfuse API usage.
Evidence
package.jsondist/credentials/AgentLangfuseApi.credentials.jsdist/nodes/AgentLangfuse/AgentLangfuse.node.jsdist/nodes/AgentLangfuse/langfuse.jsdist/nodes/AgentLangfuse/execute.jsdist/nodes/AgentLangfuse/geminiSchema.js
Network endpoints3
cloud.langfuse.com/api/public/v2/prompts/api/public/projects
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime node fetches Langfuse prompts/projects and sends LangChain traces using user-supplied credentials in dist/nodes/AgentLangfuse/langfuse.js.
- Agent execution can call connected n8n AI tools and LLMs when a workflow explicitly runs dist/nodes/AgentLangfuse/execute.js.
Evidence against
- package.json has only prepublishOnly; no preinstall/install/postinstall hooks.
- No child_process, eval, broad fs writes, persistence, native binary loading, or agent config mutation found.
- Credentials file only defines n8n credential fields and Basic auth for Langfuse API test.
- Network use is package-aligned: Langfuse prompt/project APIs and Langfuse tracing endpoint configured by credential URL.
- Dynamic require in geminiSchema.js is limited to optional local zod-to-json-schema conversion.
- README and node metadata match observed functionality.
Behavioral surface
ChildProcessNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/credentials/AgentLangfuseApi.credentials.jsView file
39patternName = generic_password
severity = medium
line = 39
matchedText = password...}}',
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/credentials/AgentLangfuseApi.credentials.jsView on unpkg · L39Findings
2 Medium3 Low
MediumSecret Patterndist/credentials/AgentLangfuseApi.credentials.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings