Posthog CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent PostHog CLI guide, but it gives an agent broad ability to change or delete PostHog resources and bypass confirmations.

Install only if you trust the community phog-cli package and want agent-assisted PostHog administration, not just read-only reporting. Use a least-privilege PostHog token, prefer test or read-only credentials where possible, and require explicit review before any --yes command, delete, rollout change, experiment launch/end, or raw API POST/PATCH/DELETE call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The command reference materially exceeds the stated analytics-focused purpose by exposing broad state-changing administration, including create, update, launch, stop, and delete operations across flags, experiments, surveys, dashboards, insights, and raw API access. In an agent setting, this expands the action surface from read-oriented analytics into project administration, increasing the chance that a user request about reporting or analysis could be satisfied with harmful mutations or destructive actions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The raw API escape hatch allows arbitrary project-scoped requests, including mutation and deletion, which defeats any safety implied by a curated command set. Because it can reach endpoints beyond the documented analytics use cases, it enables privilege expansion, policy bypass, and potentially irreversible project changes under the guise of a general analytics skill.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation promotes raw API access and arbitrary query execution without warning that responses may contain sensitive analytics data, PII, tokens, or destructive capabilities. In an agent context, this increases the chance of exposing or mishandling sensitive tenant data because the model may treat all output as safe to display or reuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented `posthog --yes flag delete <flag-id>` command bypasses confirmation and provides no warning about irreversible impact. In an agent workflow, showing destructive commands as normal examples increases the likelihood of silent deletion of feature flags, which can disrupt releases, experiments, and production behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The experiment deletion example includes confirmation bypass with no user-facing caution, normalizing an irreversible operation in a general reference. If used by an agent without an added approval step, it could remove experimentation history or active test configurations and impair product decision-making.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The survey deletion command bypasses confirmation and lacks any caution about losing survey configuration or associated workflow continuity. Within this skill context, an agent could be prompted to manage feedback tooling and end up permanently deleting surveys instead of merely stopping them.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The dashboard deletion example presents a destructive command without warning, increasing the risk that an agent or user treats permanent removal as a routine management step. Deleting dashboards can remove shared analytical views and disrupt team workflows even if underlying data remains intact.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The insight deletion command bypasses confirmation and lacks any warning despite being an irreversible operation on saved analytical assets. In an analytics-oriented skill, this is especially risky because users are more likely to expect read/query behavior, not permanent deletion of saved insights.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The raw API delete escape hatch combines arbitrary endpoint targeting with confirmation bypass and no warning, creating a highly dangerous mechanism for irreversible changes. Because it is project-scoped but otherwise generic, it can be used to delete many resource types outside the documented examples, making accidental or malicious destructive actions far more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal