posthog-upgrade-migration

SUSPICIOUS. The skill’s overall purpose is legitimate, but its trust story is internally inconsistent: it presents a PostHog SDK migration flow while the install target and release-note source do not clearly map to an official PostHog-owned package/repo. This is not confirmed malware, but it is a medium-risk supply-chain concern for an AI agent skill that changes dependencies automatically.