instrument-feature-flags
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and downloads official PostHog SDKs and documentation from vendor-controlled domains (e.g., posthog.com, i.posthog.com) and repositories (e.g., github.com/PostHog/*). These are recognized as legitimate vendor resources for the author 'posthog'.
- [COMMAND_EXECUTION]: The instructions include standard package installation commands for various environments, such as 'npm install posthog-js', 'pip install posthog', and 'go get github.com/posthog/posthog-go'. These are necessary for the skill's primary purpose of setting up feature flag instrumentation.
- [DATA_EXFILTRATION]: The skill accesses and modifies environment variable files (e.g., .env, .env.local) to store PostHog API keys. This is a standard and safe practice for secret management in development workflows. It also uses an MCP tool ('projects-get') to retrieve project tokens from the user's PostHog account.
- [INDIRECT_PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection as it ingests untrusted data from the local codebase (Step 1) and possesses file-write capabilities (Step 5).
- Ingestion points: Codebase files and dependency manifests (SKILL.md).
- Boundary markers: The skill lacks explicit prompt boundary markers or instructions to ignore embedded commands in the files it analyzes.
- Capability inventory: The agent has the capability to write instrumentation code to any file in the project (Step 5) and update environment configuration files (Step 6).
- Sanitization: No explicit sanitization or validation of the ingested code content is mentioned before it is processed for instrumentation planning.
Audit Metadata