integration-swift
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill correctly instructs the agent to use environment variables for PostHog project tokens (
POSTHOG_PROJECT_TOKEN) and hosts (POSTHOG_HOST), explicitly warning against hardcoding credentials in the source code. - [EXTERNAL_DOWNLOADS]: The skill references the official PostHog iOS SDK repository (github.com/PostHog/posthog-ios) as a dependency via Swift Package Manager (SPM). This is an expected and safe practice for integrating the vendor's analytics library.
- [DATA_EXPOSURE]: While an example project token is included in the reference Xcode scheme file (
phc_jE9kXU0...), this is a public-facing client-side token used for event routing, not a sensitive secret like an administrative API key. The instructions correctly emphasize that users should provide their own tokens via environment variables. - [COMMAND_EXECUTION]: The instructions guide the agent in modifying the
project.pbxprojfile to add SPM dependencies. Although modifying Xcode project files is a complex operation, it is a necessary part of the skill's primary functionality and is handled through standard build system objects (PBXBuildFile, XCSwiftPackageProductDependency). - [INDIRECT_PROMPT_INJECTION]: The skill involves reading and editing user-provided Swift files. While this creates a surface where untrusted project content could influence the agent, the skill defines a rigid, step-by-step workflow with clear objectives, which helps mitigate accidental obedience to embedded instructions in source code.
Audit Metadata