Skills
skills/posthog/posthog-foss/establishing-code-ownership/Gen Agent Trust Hub

establishing-code-ownership

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The ownership.js script executes the git ls-files command using execFileSync to enumerate repository files. The script implements security best practices by using the -- separator when passing user-supplied path prefixes to the git command, which prevents argument injection attacks.
  • [EXTERNAL_DOWNLOADS]: The skill mentions and links to the official PostHog feature-ownership handbook. This is a documentation reference to the vendor's own website and does not involve any automated downloads or execution of remote code at runtime.
  • [DATA_EXFILTRATION]: While the script reads repository metadata (CODEOWNERS and product.yaml files), it does not contain any network-capable code (e.g., fetch, curl, or socket operations). All processed data is output to the local console for the agent's use.
  • [NO_CODE]: The logic for resolving owners is contained within a provided JavaScript file (ownership.js) and a referenced vendor script (.github/scripts/codeowners.js). These scripts perform localized file parsing and regex matching without external dependencies.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 06:17 PM
Security Audit — agent-trust-hub — establishing-code-ownership