ClawHub

Posthog Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PostHog automation skill, but it needs normal care because it uses a write-capable PostHog API key to create and update dashboards.

Install only if you are comfortable giving the skill a PostHog API key with write access. Prefer a dedicated least-privilege key, confirm POSTHOG_HOST points to the intended PostHog region, test in a non-production project first, and keep a backup or version-controlled copy of dashboard JSON configs before running create or update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill explicitly relies on shell execution (`bash`, `curl`, `jq`) and performs API-driven state changes, but the metadata shown in the skill does not declare corresponding permissions or execution capabilities. This creates a transparency and policy-enforcement gap: a user or platform may underestimate what the skill can do, including making authenticated network requests and modifying remote resources.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation states that the script will automatically update the user's config file with the `dashboard_id`, but it does not clearly warn that a local file will be modified in place. Silent or unexpected file mutation can lead to accidental overwrites, corrupted configs, or unsafe assumptions in automation pipelines where the file is treated as immutable input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal