ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PostHog

v1.0.0

Interact with PostHog analytics via its REST API. Capture events, evaluate feature flags, query data with HogQL, manage persons, insights, dashboards, experi...

0· 752·4 current·4 all-time
by@simonfunk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included SKILL.md, API reference, and the helper script. The environment variables requested (personal API key, project ID, optional project API key, and host overrides) are appropriate for interacting with PostHog's public and private APIs.
Instruction Scope
Instructions and the script operate only against PostHog endpoints and use the declared env vars. The skill enables arbitrary HogQL queries (via the query command), which is expected for a data-querying tool but is powerful — queries can retrieve sensitive user data if the PostHog project contains PII. The SKILL.md does not instruct reading unrelated files or environment variables. It does assume use of common CLI tools (curl, jq) but those binaries are not declared as required.
Install Mechanism
No install spec is provided (instruction-only with an included helper script). This is lower risk than arbitrary code downloads. The script is stored in the skill bundle and will only run when invoked.
Credentials
The only credentials requested are PostHog personal and project keys and project ID, which are appropriate for the stated capabilities. Note: the personal API key grants wide read/write access to a project (private endpoints), so granting it has elevated impact — consider least-privilege tokens or a dedicated read-only token if available.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does not modify other skills or system-wide configs.
Assessment
This skill is a straightforward PostHog API helper and appears coherent. Before installing: 1) Only provide PostHog credentials you trust this skill with — the POSTHOG_API_KEY (personal key) allows broad read/write access to project data; prefer scoped or read-only tokens if possible. 2) The included script calls curl and uses jq in some flows; the bundle's metadata does not declare required binaries, so ensure curl/jq/bash are available. 3) Be cautious when running or allowing automated HogQL queries — they can export sensitive data from your PostHog project. 4) Review and rotate any API keys you provide if you stop using the skill. 5) Because there is no install process, the script only runs when invoked, and the skill does not auto-install itself or request extra privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk9710p2v1tszknajfynvey6w6h818p9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments