The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides instructions and examples for downloading and installing various official PostHog SDKs (e.g., posthog-js, posthog-node, posthog-android) from trusted package registries. It also includes the official PostHog client-side initialization snippet which fetches analytics scripts from the vendor's asset delivery network.
[COMMAND_EXECUTION]: To set up the analytics environment, the skill executes standard shell commands to install dependencies using package managers such as npm, pnpm, pip, composer, and bundle.
[DATA_EXFILTRATION]: The core functionality involves capturing application events and user behavior data and transmitting it to PostHog's ingestion endpoints (e.g., us.i.posthog.com). This behavior is explicitly defined as the primary purpose of the skill and is directed entirely to the vendor's infrastructure.
[CREDENTIALS_UNSAFE]: While some reference examples include hardcoded project tokens (e.g., phc_...), these are public identifiers intended for use in frontend code and do not grant administrative access. The main skill instructions correctly emphasize the use of environment variables for secure configuration.
[PROMPT_INJECTION]: The skill analyzes codebase files to plan instrumentation, creating a surface for indirect prompt injection. However, given its intended use as a development tool by trusted users, this represents a typical operating risk for such agents and is categorized as a low-severity concern.
[SAFE]: No malicious patterns, such as persistence mechanisms, unauthorized privilege escalation, or multi-layer obfuscation, were identified. All operations are transparently tied to the official PostHog analytics service.

omnibus-instrument-product-analytics