ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Posthog Analytics

v1.2.0

Automate PostHog dashboard creation, sync, update, and export via API. Covers dashboard CRUD, insight creation, cohort management, and API-driven analytics w...

0· 80·0 current·0 all-time
bySolomon Neas@solomonneas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and included Bash script implement PostHog dashboard/insight create/sync/update/export via the PostHog API, which matches the skill name and description. However, registry metadata lists no required environment variables or primary credential while the SKILL.md and script require POSTHOG_PERSONAL_API_KEY — this mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions and the script are narrowly scoped to: read a JSON config, call the PostHog API (host configurable via POSTHOG_HOST), create/update/export dashboards/insights, and write the dashboard_id back to the provided config file. The instructions do not reference unrelated system files, other credentials, or external endpoints outside the configured PostHog hosts.
Install Mechanism
No install spec is provided (instruction-only). The script depends on standard tools (curl, jq, bash). No downloads or archive extraction are performed by the skill itself.
!
Credentials
The script and SKILL.md require POSTHOG_PERSONAL_API_KEY (with read/write access) and optional POSTHOG_HOST/POSTHOG_UI_HOST. Registry metadata (as reported) declares no required env vars or primary credential — this is a discrepancy. The required API key is appropriate for the described functionality, but the missing declaration in the registry is a red flag and should be fixed so installers know what sensitive credential will be used.
Persistence & Privilege
The skill does not request permanent installation privileges (always:false). The script modifies only the config file you pass it (it writes dashboard_id back into that file via a safe tmp file). It does not change other skills, global agent config, or request elevated system privileges.
What to consider before installing
This skill appears to do what it claims (manage PostHog dashboards) and the included script is readable and scoped. However: (1) the registry metadata failing to declare POSTHOG_PERSONAL_API_KEY and the primary credential is an inconsistency — confirm the registry/author lists the API key as required before installing. (2) Review the script locally before running and run it with a minimal-permission PostHog API key (only the org/project needed), and avoid running as root. (3) jq and curl are required; ensure they come from trusted sources. (4) Note the script will update the JSON config file you pass (it writes dashboard_id back into it); keep backups if needed. (5) If you have any doubt about the source (homepage unknown, source unknown), consider testing in a disposable project or environment first and rotate the API key after initial use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dy4rvawmjwafzvqmavmpm4d83b2v1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
POSTHOG_PERSONAL_API_KEYrequiredPostHog personal API key with read/write access
POSTHOG_HOSToptionalPostHog API host (EU: eu.i.posthog.com)
POSTHOG_UI_HOSToptionalPostHog UI host for dashboard URLs

Comments