instrument-feature-flags
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill is authored by PostHog and facilitates the instrumentation of their own official feature flag service. All external resources, including documentation URLs (posthog.com) and SDK packages, originate from the trusted vendor.
- [COMMAND_EXECUTION]: The documentation provides standard installation commands for various package managers (npm, pip, composer, cargo, etc.) to fetch official PostHog libraries. These operations are intended for environment setup and target well-known registries.
- [CREDENTIALS_SAFE]: The skill implements a secure-by-default approach to secrets. It explicitly instructs the agent to store API tokens in environment files (like
.env) and reference those variables in code rather than hardcoding them. - [DATA_EXPOSURE]: The skill reads codebase configuration files (e.g., package.json, requirements.txt) to detect the user's platform. This is a legitimate functional requirement for cross-platform support.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data by reading project files. However, the risk is mitigated as the skill uses this information for structured instrumentation and encourages the agent to read files immediately before writing to maintain accurate context. (Internal severity: SAFE).
Audit Metadata