← Back to Skills Marketplace
simonfunk

PostHog

by simonfunk · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
897
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install posthog
Description
Interact with PostHog analytics via its REST API. Capture events, evaluate feature flags, query data with HogQL, manage persons, insights, dashboards, experi...
Usage Guidance
This skill is a straightforward PostHog API helper and appears coherent. Before installing: 1) Only provide PostHog credentials you trust this skill with — the POSTHOG_API_KEY (personal key) allows broad read/write access to project data; prefer scoped or read-only tokens if possible. 2) The included script calls curl and uses jq in some flows; the bundle's metadata does not declare required binaries, so ensure curl/jq/bash are available. 3) Be cautious when running or allowing automated HogQL queries — they can export sensitive data from your PostHog project. 4) Review and rotate any API keys you provide if you stop using the skill. 5) Because there is no install process, the script only runs when invoked, and the skill does not auto-install itself or request extra privileges.
Capability Analysis
Type: OpenClaw Skill Name: posthog Version: 1.0.0 The skill bundle is classified as suspicious due to a shell injection vulnerability in the `scripts/posthog.sh` helper script. Several commands within the script (e.g., `capture`, `evaluate-flags`, `create-annotation`) directly interpolate user-supplied arguments into `curl -d` string arguments without proper shell escaping. This allows an attacker to execute arbitrary commands on the system by providing specially crafted input containing command substitutions (e.g., `$(evil_command)`). While this is a significant security flaw, there is no evidence of intentional malicious behavior like data exfiltration to unauthorized destinations or persistence mechanisms; the script's core purpose is legitimate interaction with the PostHog API.
Capability Assessment
Purpose & Capability
The name/description match the included SKILL.md, API reference, and the helper script. The environment variables requested (personal API key, project ID, optional project API key, and host overrides) are appropriate for interacting with PostHog's public and private APIs.
Instruction Scope
Instructions and the script operate only against PostHog endpoints and use the declared env vars. The skill enables arbitrary HogQL queries (via the query command), which is expected for a data-querying tool but is powerful — queries can retrieve sensitive user data if the PostHog project contains PII. The SKILL.md does not instruct reading unrelated files or environment variables. It does assume use of common CLI tools (curl, jq) but those binaries are not declared as required.
Install Mechanism
No install spec is provided (instruction-only with an included helper script). This is lower risk than arbitrary code downloads. The script is stored in the skill bundle and will only run when invoked.
Credentials
The only credentials requested are PostHog personal and project keys and project ID, which are appropriate for the stated capabilities. Note: the personal API key grants wide read/write access to a project (private endpoints), so granting it has elevated impact — consider least-privilege tokens or a dedicated read-only token if available.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does not modify other skills or system-wide configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install posthog
  3. After installation, invoke the skill by name or use /posthog
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Full PostHog API skill with HogQL queries, event capture, feature flags, persons, insights, dashboards, experiments, surveys, and more
Metadata
Slug posthog
Version 1.0.0
License
All-time Installs 4
Active Installs 4
Total Versions 1
Frequently Asked Questions

What is PostHog?

Interact with PostHog analytics via its REST API. Capture events, evaluate feature flags, query data with HogQL, manage persons, insights, dashboards, experi... It is an AI Agent Skill for Claude Code / OpenClaw, with 897 downloads so far.

How do I install PostHog?

Run "/install posthog" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is PostHog free?

Yes, PostHog is completely free (open-source). You can download, install and use it at no cost.

Which platforms does PostHog support?

PostHog is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created PostHog?

It is built and maintained by simonfunk (@simonfunk); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments