ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PostHog

Interact with PostHog analytics via its REST API. Capture events, evaluate feature flags, query data with HogQL, manage persons, insights, dashboards, experi...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 563 · 4 current installs · 4 all-time installs
by@simonfunk
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included SKILL.md, API reference, and the helper script. The environment variables requested (personal API key, project ID, optional project API key, and host overrides) are appropriate for interacting with PostHog's public and private APIs.
Instruction Scope
Instructions and the script operate only against PostHog endpoints and use the declared env vars. The skill enables arbitrary HogQL queries (via the query command), which is expected for a data-querying tool but is powerful — queries can retrieve sensitive user data if the PostHog project contains PII. The SKILL.md does not instruct reading unrelated files or environment variables. It does assume use of common CLI tools (curl, jq) but those binaries are not declared as required.
Install Mechanism
No install spec is provided (instruction-only with an included helper script). This is lower risk than arbitrary code downloads. The script is stored in the skill bundle and will only run when invoked.
Credentials
The only credentials requested are PostHog personal and project keys and project ID, which are appropriate for the stated capabilities. Note: the personal API key grants wide read/write access to a project (private endpoints), so granting it has elevated impact — consider least-privilege tokens or a dedicated read-only token if available.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does not modify other skills or system-wide configs.
Assessment
This skill is a straightforward PostHog API helper and appears coherent. Before installing: 1) Only provide PostHog credentials you trust this skill with — the POSTHOG_API_KEY (personal key) allows broad read/write access to project data; prefer scoped or read-only tokens if possible. 2) The included script calls curl and uses jq in some flows; the bundle's metadata does not declare required binaries, so ensure curl/jq/bash are available. 3) Be cautious when running or allowing automated HogQL queries — they can export sensitive data from your PostHog project. 4) Review and rotate any API keys you provide if you stop using the skill. 5) Because there is no install process, the script only runs when invoked, and the skill does not auto-install itself or request extra privileges.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9710p2v1tszknajfynvey6w6h818p9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

PostHog API Skill

Interact with PostHog via its REST API. Two types of endpoints:

  • Public (POST-only, project API key): capture events, evaluate flags — no rate limits
  • Private (personal API key): query, CRUD for all resources — rate limited

Setup

  1. Get personal API key: https://us.posthog.com/settings/user-api-keys
  2. Get project ID: https://us.posthog.com/settings/project#variables
  3. Set env vars: 
    export POSTHOG_API_KEY="phx_..."
export POSTHOG_PROJECT_ID="12345"
export POSTHOG_PROJECT_API_KEY="phc_..."  # optional, for capture/flags
# For EU Cloud:
# export POSTHOG_HOST="https://eu.posthog.com"
# export POSTHOG_INGEST_HOST="https://eu.i.posthog.com"
  4. Verify: bash scripts/posthog.sh whoami

Helper Script

scripts/posthog.sh wraps common operations. Run bash scripts/posthog.sh help for full usage.

Examples

# Capture an event
bash scripts/posthog.sh capture "signup" "user_123" '{"plan":"pro"}'

# Evaluate feature flags
bash scripts/posthog.sh evaluate-flags "user_123"

# HogQL query — top events last 7 days
bash scripts/posthog.sh query "SELECT event, count() FROM events WHERE timestamp >= now() - INTERVAL 7 DAY GROUP BY event ORDER BY count() DESC LIMIT 20"

# List persons
bash scripts/posthog.sh list-persons 10 | jq '.results[] | {name, distinct_ids}'

# List feature flags
bash scripts/posthog.sh list-flags | jq '.results[] | {id, key, active}'

# Create a feature flag
echo '{"key":"new-dashboard","name":"New Dashboard","active":true,"filters":{"groups":[{"rollout_percentage":50}]}}' | \
  bash scripts/posthog.sh create-flag

# List dashboards
bash scripts/posthog.sh list-dashboards | jq '.results[] | {id, name}'

Key Concepts

Two API types

  • Public endpoints (/i/v0/e/, /batch/, /flags): Use project API key in body. No auth header. No rate limits.
  • Private endpoints (/api/projects/:project_id/...): Use personal API key via Authorization: Bearer. Rate limited.

HogQL Queries

The query endpoint (POST /api/projects/:project_id/query/) is the most powerful way to extract data. Uses SQL-like HogQL syntax against tables: events, persons, sessions, groups, plus data warehouse tables.

Always include time ranges and LIMIT. Use timestamp-based pagination for large exports.

Rate Limits (private endpoints)

TypeLimit
Analytics (insights, persons, recordings)240/min, 1200/hr
Query endpoint2400/hr
Feature flag local evaluation600/min
Other CRUD480/min, 4800/hr

Limits apply per organization. On 429: back off and retry.

Domains

CloudPublicPrivate
USus.i.posthog.comus.posthog.com
EUeu.i.posthog.comeu.posthog.com

Events API (deprecated)

The /api/projects/:project_id/events/ endpoint is deprecated. Use HogQL queries or batch exports instead.

Direct curl

# Private endpoint
curl -H "Authorization: Bearer $POSTHOG_API_KEY" \
  "$POSTHOG_HOST/api/projects/$POSTHOG_PROJECT_ID/feature_flags/"

# HogQL query
curl -H "Authorization: Bearer $POSTHOG_API_KEY" \
  -H "Content-Type: application/json" \
  -X POST -d '{"query":{"kind":"HogQLQuery","query":"SELECT count() FROM events WHERE timestamp >= now() - INTERVAL 1 DAY"}}' \
  "$POSTHOG_HOST/api/projects/$POSTHOG_PROJECT_ID/query/"

# Capture event (public)
curl -H "Content-Type: application/json" \
  -X POST -d '{"api_key":"'$POSTHOG_PROJECT_API_KEY'","event":"test","distinct_id":"u1"}' \
  "$POSTHOG_INGEST_HOST/i/v0/e/"

Full API Reference

See references/api-endpoints.md for complete endpoint listing with parameters, body schemas, scopes, and response formats.

Sections: Public Endpoints (Capture, Batch, Flags), Private Endpoints (Persons, Feature Flags, Insights, Dashboards, Annotations, Cohorts, Experiments, Surveys, Actions, Session Recordings, Users, Definitions), Query API (HogQL).

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…