← 返回 Skills 市场

Langfuse Observability

Name: Langfuse Observability
Author: aiwithabidi

作者 aiwithabidi · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

365

总下载

当前安装

版本数

在 OpenClaw 中安装

/install langfuse-observability

功能描述

Provides automatic tracing, logging, cost tracking, and health monitoring for OpenClaw LLM calls, APIs, tool executions, and custom events.

使用说明 (SKILL.md)

📡 Langfuse Observability

Complete Langfuse v3 observability toolkit for OpenClaw agents — automatic tracing for LLM calls, API calls, tool executions, and custom events. Cost tracking per model, session grouping, evaluation scoring, dashboard queries, and health monitoring. The central nervous system for agent observability.

Use for: logging, tracing, debugging, cost analysis, and audit trails.

Quick Start

import sys, os
sys.path.insert(0, os.path.expanduser("~/.openclaw/workspace/skills/langfuse-observability/scripts"))
from langfuse_hub import traced, trace_llm, trace_api, trace_tool, trace_event, flush

Scripts

Script	Purpose
`langfuse_hub.py`	Universal import — tracing functions, decorators, context managers
`langfuse_admin.py`	CLI for dashboard queries (traces, costs, sessions, health)
`langfuse_cron.py`	Daily observability report for Telegram

Instance

Host: http://langfuse-web:3000
Dashboard: http://langfuse-web:3000 (internal)
SDK: Langfuse Python v3.14.1

Credits

Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.

📅 Need observability for your AI agents? Book a free consultation

安全使用建议

What to consider before installing: - Missing dependency: The scripts require the Langfuse Python SDK (from langfuse import Langfuse) but the skill provides no install instructions. Ensure you install and vet the SDK version (v3.14.x) before enabling the skill. - Hard-coded credentials and defaults: The code contains default PUBLIC and SECRET keys and a default host (http://langfuse-web:3000). Treat these as suspicious; do not rely on them. If you intend to use the skill, supply your own LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, and LANGFUSE_HOST via environment variables and remove/override any hard-coded secrets. If those embedded secrets are valid, they represent a credential leak. - Data exfiltration risk: The skill will send traces (prompts, completions, API/tool inputs/outputs, metadata) to LANGFUSE_HOST. Ensure that the target host is under your control (or trusted). Redact PII/sensitive contents before tracing, or disable tracing of sensitive fields, because traces may contain secrets or user data. - Operational testing: Run the skill in a sandboxed environment first (no network or pointing to a test Langfuse instance) to verify behavior and dependency requirements. - If you don't control the Langfuse endpoint or can't confirm the keys are safe, do not enable autonomous invocations. Review and remove hard-coded secrets and add explicit documentation of required env vars and dependency installation before production use. What would change this assessment: if the publisher updated the skill to (1) declare required environment variables and not embed secret defaults, (2) include or document a safe install step for the Langfuse SDK, and (3) clearly document what data is sent and how to redact it, the concerns would be resolved and the skill could be reclassified as benign.

功能分析

Type: OpenClaw Skill Name: langfuse-observability Version: 1.0.0 The skill bundle provides a Langfuse observability toolkit but contains hardcoded sensitive credentials (LANGFUSE_SECRET_KEY) in langfuse_hub.py, langfuse_admin.py, and langfuse_cron.py. While the code appears functional for its stated purpose of tracing LLM calls and tool executions, the inclusion of static API keys is a significant security vulnerability. Additionally, the toolkit is designed to capture and transmit all agent interactions (prompts, completions, and metadata) to a configured host (defaulting to http://langfuse-web:3000), which could lead to data exposure if the endpoint is not properly secured or is redirected.

能力评估

⚠ Purpose & Capability

The skill's name/description (Langfuse observability) matches the provided code (trace_llm, trace_api, trace_tool, etc.). However the registry metadata declares no required env vars or dependencies while the code relies on LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, LANGFUSE_HOST and the Langfuse Python SDK. The defaults in code (http://langfuse-web:3000 and hard-coded keys) are baked in rather than declared, which is inconsistent and risky.

ℹ Instruction Scope

SKILL.md directs agents to import the bundled scripts and use tracing functions — that stays within the stated purpose. But the documentation does not mention the required langfuse SDK dependency or the critical environment variables, nor does it warn that traces may include prompts/completions (which can contain sensitive data) or that the endpoint/keys default to embedded values. The runtime instructions rely on network calls to LANGFUSE_HOST (configurable), which is expected for an observability tool but should be explicit.

ℹ Install Mechanism

This is an instruction-only skill with included Python scripts (no install spec). That is low-risk in terms of arbitrary network install, but it is incomplete: the package requires the Langfuse Python SDK (from 'from langfuse import Langfuse') which is not declared. Without installing that dependency the skill will fail. The absence of a declared install step for the SDK is a mismatch.

⚠ Credentials

The registry claims no required env vars, yet the code reads LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, LANGFUSE_HOST, and LANGFUSE_USER_ID. Critically, default values include what appear to be hard-coded public and secret keys in the source. Hard-coded secrets in a skill are inappropriate: they may be stale, invalid, or (if valid) leak privileged credentials. Requesting endpoint and creds is expected for a tracing integration, but they must be declared and documented — this skill does not.

✓ Persistence & Privilege

The skill does not request permanent 'always: true' presence, does not modify other skills, and does not contain an install that writes binaries to system paths. Its privilege model is the platform default (user-invocable and agent-invocable). Note: because the code can send data to LANGFUSE_HOST, autonomous invocation combined with misconfigured credentials/endpoints would increase blast radius — but autonomous invocation alone is normal.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install langfuse-observability
安装完成后，直接呼叫该 Skill 的名称或使用 /langfuse-observability 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of the Langfuse Observability toolkit for OpenClaw agents. - Provides automatic tracing for LLM calls, API calls, tool executions, and custom events. - Includes cost tracking per model, session grouping, evaluation scoring, dashboard queries, and health monitoring. - Offers importable tracing functions and a CLI for dashboard interaction. - Supports daily observability reporting via Telegram.

元数据

Slug langfuse-observability

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题