LangSmith Flaw Exposed OpenAI Keys Through Malicious Agent Trick
A Logging Tool Built on Trust, Undone by It
▼ Summary
– LangSmith patched a high-risk security flaw that exposed OpenAI API keys and sensitive user data through malicious proxy servers in shared agents.
– Attackers could capture all session data, including prompts, documents, and credentials, by tricking developers into testing compromised agents.
– The vulnerability stemmed from LangSmith’s excessive logging and lack of sandboxing for unverified agents, exposing environment variables by default.
– LangChain fixed the issue by filtering API keys from logs, reworking proxy configurations, and warning developers to avoid unknown shared agents.
– The incident highlights broader AI security risks, emphasizing the need for stricter vetting of community tools in production environments.
LangSmith, the observability platform built by LangChain to help developers track and debug AI chains, has patched a high-risk security flaw that exposed OpenAI API keys and sensitive user data. The vulnerability, disclosed by Horizon3.ai and publicly reported by The Hacker News on June 17, allowed attackers to embed malicious proxy servers in shared agents uploaded to the LangChain Hub.
When other developers clicked “Try it” on a compromised agent, their entire session, including prompts, documents, images, and voice data, was silently routed through the attacker’s proxy. Worse, environment variables such as OPENAI_API_KEY were exposed by default in LangSmith logs. The attacker needed no elevated access, just an uploaded agent and a curious user.
“This was a classic supply chain exposure wrapped in an LLM use case,” said Sasi Levi, one of the researchers behind the discovery. “All the attacker had to do was get someone to test their agent.”
The Problem With Logging Everything
LangSmith’s strength lies in its ability to log and trace complex AI workflows across chains and tools. But that visibility came with a cost. Horizon3.ai’s proof of concept showed that not only could logs contain sensitive data, but the platform also didn’t sufficiently sandbox unverified agents or warn about external proxies.
The attack chain was disturbingly simple:
- The attacker uploads a LangChain agent that routes through their proxy.
- A developer clicks “Try It” on LangSmith Hub.
- The attacker captures all inputs, credentials, and output flows.
This behavior exploited a blind spot in AI toolchains: over-trusting public agents and under-scrutinizing what gets logged. In traditional software, dependencies are vetted and signed. In LLM workflows, a “chain” can include anything from an image uploader to a voice translator, with minimal review.
LangChain responded by:
- Patching LangSmith’s backend on November 6, 2024, to filter out API keys from logs by default.
- Reworking how agent proxy configurations are displayed.
- Issuing guidance to developers to rotate API keys and avoid relying on unknown shared agents.
Bigger Implications for AI Security
LangSmith isn’t the only tool logging everything under the hood. From Replit to Hugging Face, many AI development environments prize transparency, at the cost of security. As the industry encourages developers to “compose” AI apps by stitching together community tools, the trust model breaks down fast.
“It’s a wake-up call for anyone building with LangChain or similar frameworks,” said Gal Moyal, co-author of the Horizon3.ai report. “We’re not in the prototype phase anymore. These are production systems now, and they need to be treated that way.”
Security analysts say this isn’t just about one bug. It’s about a pattern. The next time an AI agent asks you to click “Try It,” the real test might be on your credentials, not the model’s performance.
