instrument-feature-flags
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill is authored by PostHog and its instructions align with official documentation for instrumenting feature flags. It interacts exclusively with vendor-controlled domains and software.
- [EXTERNAL_DOWNLOADS]: Downloads and references official PostHog SDKs from trusted sources like NPM, PyPI, and GitHub to set up project analytics.
- [COMMAND_EXECUTION]: Executes standard package manager commands (e.g.,
npm install,pip install) and file operations to configure the project's environment and source code. - [SAFE]: Data Ingestion Surface (Indirect Injection): The skill reads project configuration and source files to detect platforms and inject code. While it lacks explicit sanitization or boundary markers for user-provided code, the operations are restricted to project setup using official vendor templates and occur within a development context. Evidence: Ingestion points: Dependency files (STEP 1) and source code (STEP 5); Boundary markers: Absent; Capability inventory: Package installation (shell commands), file system read/write; Sanitization: Absent.
Audit Metadata