PostHog
ReviewAudited by ClawScan on May 1, 2026.
Overview
The artifacts describe a coherent PostHog integration through Maton-managed authentication, with disclosed credential use and user approval required for writes.
This looks like a purpose-aligned PostHog API skill, not a malicious artifact. Before installing, make sure you trust Maton with your PostHog OAuth connection, protect the MATON_API_KEY, use the intended connection when multiple accounts exist, and approve write actions only after checking their exact impact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access PostHog data and perform approved actions using the connected account's authority.
The skill requires a Maton API key and uses managed OAuth connections to act against the user's connected PostHog account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Use a Maton/PostHog connection with the least privilege needed, keep MATON_API_KEY private, and review any requested write action before approving it.
PostHog API requests and returned analytics data may pass through Maton's service as part of the managed authentication flow.
The integration routes PostHog API requests through Maton's gateway, which is expected for the skill but creates a third-party data and credential handling boundary.
Maton proxies requests to `{subdomain}.posthog.com` and automatically injects your credentials.Only install if you trust Maton to handle your PostHog connection and analytics data, and confirm this data flow fits your organization's policies.
Approved write operations could change PostHog configuration such as feature flags, experiments, dashboards, or connections.
The skill exposes PostHog API operations that can change account resources, but the artifact includes an explicit approval requirement for mutations.
All write operations require explicit user approval. Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving any mutation, verify the target project or connection, the exact resource being changed, and the expected effect.