integration-tanstack-start
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill explicitly mandates the use of environment variables for PostHog project tokens and hosts, preventing the risk of hardcoded credentials in the source code.
- [SAFE]: All external software dependencies referenced (@posthog/react and posthog-node) are legitimate libraries provided by the vendor (PostHog).
- [SAFE]: The skill correctly implements security-sensitive features such as session resetting on logout and secure server-side event capture using a singleton client pattern.
- [PROMPT_INJECTION]: The workflow requires the agent to read and analyze existing project files to generate an event tracking plan. This creates a surface for indirect prompt injection if the user's project files contain malicious instructions, though the risk is inherent to the skill's primary function of code analysis.
- Ingestion points: project files analyzed in
basic-integration-1.0-begin.md. - Boundary markers: Absent.
- Capability inventory: file-write operations to
.posthog-events.jsonand edits to project source files. - Sanitization: No explicit sanitization is performed on the data ingested from project files.
Audit Metadata