posthog-ci-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs using a command that embeds the API key on the command line (gh secret set ... --body "sk_test_***"), which requires the agent or user to handle and potentially output the secret value verbatim, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow references GitHub Actions that are fetched and executed at runtime (e.g., uses: actions/checkout@v4 and uses: actions/setup-node@v4), meaning the skill relies on remote repositories whose code will be executed during CI.