instrument-product-analytics
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell-based operations to manage project dependencies and verify implementation quality.
- Executes platform-specific package manager commands such as
npm install,pip install,pnpm start, andbundle installto integrate the PostHog SDK (Step 3). - Invokes project-defined build scripts, type checkers, and formatting tools like Prettier during the verification phase (Step 10).
- [EXTERNAL_DOWNLOADS]: Fetches software components and configuration patterns from established technology providers.
- Downloads SDK packages from official public registries (NPM, PyPI, RubyGems).
- References implementation examples and technical documentation hosted on PostHog's official GitHub repositories and web domains.
- [DATA_EXFILTRATION]: Configures the application to transmit telemetry data and user identifiers to an external analytics platform.
- Instruments the codebase to capture user behavioral events and identification metadata, such as usernames or email addresses extracted from login and signup forms (Step 5, Step 6, Step 7).
- Transmits the collected data to PostHog's ingestion infrastructure. This behavior is the intended function of the skill for providing product analytics.
- [SAFE]: The skill analyzes codebase files and writes configuration, presenting a surface for indirect prompt injection that is inherent to its instrumentation purpose.
- Ingestion points: Reads local project structure, dependency files (e.g.,
package.json,requirements.txt), and source code to plan instrumentation (Step 1, Step 5). - Boundary markers: Absent.
- Capability inventory: Performs file system writes and executes shell commands for package installation and linting (Step 3, 6, 7, 8, 9, 10).
- Sanitization: Absent.
Audit Metadata