instrument-error-tracking
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads official PostHog SDKs from established public registries (NPM, PyPI, Go, Maven, Rubygems, etc.) and references official assets on posthog.com and Cloudinary for documentation purposes.- [COMMAND_EXECUTION]: The skill uses standard developer commands for package management (e.g., npm install, pip install, bundle install) and framework-specific code generation (e.g., rails generate, ng g service) to initialize the SDK.- [PROMPT_INJECTION]: A surface for indirect prompt injection exists as the skill reads local codebase files to influence its actions. \n
- Ingestion points: Dependency files and source code (SKILL.md Step 1 and Step 5). \n
- Boundary markers: Absent; the skill does not use specific delimiters when reading existing code. \n
- Capability inventory: Shell command execution and file writing across the project directory (SKILL.md Step 3 and Step 5). \n
- Sanitization: Absent; the skill does not explicitly sanitize codebase content before using it to generate configuration or capture points. This is considered a low risk inherent to automated code modification tools.- [SAFE]: Environment variables for API keys are managed using a dedicated MCP tool or user input, following security best practices by avoiding hardcoded credentials.
Audit Metadata