adding-analytics
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities detected. The skill's behavior is consistent with its stated purpose of assisting with analytics integration.
- [EXTERNAL_DOWNLOADS]: The skill recommends installing official PostHog libraries (posthog-js, posthog-node, posthog) via standard package managers. These are official SDKs from a well-known technology company and are appropriate for the skill's functionality.
- [CREDENTIALS_UNSAFE]: The skill adheres to security best practices by explicitly instructing the user to use environment variables (process.env.NEXT_PUBLIC_POSTHOG_KEY) and avoid hardcoding API keys.
- [DATA_EXFILTRATION]: Configuration instructions point to PostHog's official endpoint (https://us.i.posthog.com), which is necessary for the service to function and does not constitute unauthorized exfiltration.
- [PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection because it reads project configuration files (e.g., package.json, next.config.js) to detect the development framework. However, the logic is limited to identification for template generation and does not execute untrusted data.
- Ingestion points: Project configuration files (SKILL.md).
- Boundary markers: Absent.
- Capability inventory: Framework detection and source code generation.
- Sanitization: Absent.
Audit Metadata