Is posthog safe?

The create-annotation command in posthog.sh directly interpolates user-supplied arguments ($1 and $2) into a JSON string using double quotes without escaping. If the content or date_marker contains double quotes or backslashes, this breaks the JSON structure and could lead to malformed requests or unexpected behavior.

POSTHOG_HOST and POSTHOG_INGEST_HOST environment variables are trusted without any validation. If an attacker can set these variables (via another skill, .env file manipulation, or shell profile modification), all API requests including Bearer tokens and project API keys would be sent to an attacker-controlled server.

The query endpoint provides SQL-like access to events, persons, sessions, and groups tables. An agent executing queries on behalf of a user could inadvertently expose PII (email addresses, user properties, session recordings) in its output context, which could then be visible to other skills or logged.

The skill description includes many generic trigger phrases that could cause unintended skill activation when the user mentions analytics-related terms in unrelated contexts.

The public capture endpoint accepts arbitrary event data with arbitrary properties. In a multi-skill scenario, a malicious companion skill could instruct the agent to use the PostHog capture command to send sensitive local data disguised as analytics events to the user's PostHog instance, effectively using it as a data staging ground.

The posthog.sh script uses curl with -s (silent) and -f (fail silently on HTTP errors), which means HTTP error responses are suppressed. This could mask security-relevant errors like 401 Unauthorized (leaked/invalid keys) or unexpected redirects.