posthog
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill demonstrates safe handling of credentials by using placeholders (e.g., 'phc_your_project_key') in documentation. It also includes configuration patterns to mask passwords in session recordings, which is a standard privacy practice. No hardcoded secrets or unauthorized exfiltration attempts were found.
- [External Downloads] (SAFE): All referenced dependencies (posthog-js, posthog-node, @clerk/nextjs, next-auth) are widely used, legitimate packages from the npm registry. No unverified or high-risk remote scripts are downloaded or executed.
- [Prompt Injection] (SAFE): The instructions do not contain any patterns designed to bypass agent safety filters or override system prompts. Natural instructional terms like 'IMPORTANT' are used solely for emphasizing technical implementation details, such as the necessity of shutting down server-side clients.
- [Command Execution] (SAFE): Although 'Bash' is listed as an allowed tool, it is only suggested for standard tasks like setting environment variables in a .env.local file. There are no instructions for running arbitrary or dangerous shell commands.
Audit Metadata