Skills
skills/posthog/skills/instrument-integration/Gen Agent Trust Hub

instrument-integration

Warn

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: A hardcoded PostHog project token was discovered within a reference configuration file.
  • File: references/EXAMPLE-swift.md (within the BurritoConsiderationClient.xcscheme code block).
  • Evidence: The environment variable POSTHOG_PROJECT_TOKEN is explicitly set to phc_jE9kXU0depRekiuabVROlxxkIXn95NqsNO3qB4qNKtl. Although project tokens are client-side identifiers, they should be treated as placeholders in integration examples to prevent the unintentional use of specific project identities.
  • [COMMAND_EXECUTION]: The skill facilitates the execution of system commands for dependency management and project verification.
  • Evidence: Step 3 and Step 7 of the instructions in SKILL.md direct the agent to use package managers (such as npm, pip, bundle, composer, and go) to install SDKs and run project scripts like linters.
  • [EXTERNAL_DOWNLOADS]: The skill automates the retrieval of official PostHog integration libraries from public package registries.
  • Evidence: Installation steps for official vendor resources including posthog-js, posthog-node, posthog-python, and posthog-react-native are standard throughout the reference materials.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 7, 2026, 05:32 PM