ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Engagement Analytics Skill

v1.0.0

Use this skill whenever the user needs help with behavioral analytics, engagement tracking, or data collection across any digital touchpoint. Trigger for: we...

0· 10·0 current·0 all-time
by@abhishekj9621
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md align: this is an analytics/engagement tracking guide covering website, email, social, and mobile analytics. The modules and recommended APIs (GTM, GA4, Klaviyo, Mailchimp, Firebase, Amplitude, Mixpanel, AppsFlyer, Meta Graph, LinkedIn) are coherent with the stated purpose.
!
Instruction Scope
The SKILL.md goes far beyond high-level advice: it includes concrete code snippets that show collecting and pushing user-level data (user_id, session_id, email examples, navigator.userAgent, stack_trace_id, fields touched in forms), webhook configuration, scraping actors (Apify), and using an LLM (Anthropic) for sentiment analysis. While many recommendations are standard for analytics, the instructions give operational detail that would cause data to be transmitted to many external endpoints if followed. The document lacks strict, enforceable runtime constraints (e.g., explicit rules to never send hashed IDs to third parties, examples of safe secret handling) and sometimes shows plaintext PII in examples. That increases the risk of accidental exposure or misuse if an agent or implementer follows the examples without controls.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. This minimizes disk-write and supply-chain risk.
Credentials
The skill declares no required environment variables or credentials, yet contains many examples that require API keys/tokens (Klaviyo, Mailchimp, Meta Graph, LinkedIn, Apify, Amplitude, Mixpanel, AppsFlyer, Anthropic). That mismatch means the skill will not itself request credentials but the instructions assume access to many third-party keys; users should confirm which credentials an agent (or implementation) will actually use and restrict them appropriately.
Persistence & Privilege
No 'always: true', no install actions, and no claims of modifying other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other high privileges in this package.
Scan Findings in Context
[scanner:none] expected: The static scanner had no regex findings. This is expected because the skill is instruction-only; the SKILL.md is the primary security surface to review.
What to consider before installing
This skill is a detailed, practical guide for implementing analytics across web, email, mobile, and social — which is consistent with its name. However, it also contains runnable examples that would transmit user-level or device-level data to many third-party services (analytics providers, scrapers, and an LLM) if followed. Before installing or enabling this skill: - Confirm which external APIs you or the agent will actually call and only provide the minimum-scoped credentials necessary. Do not supply global or multi-account keys. - Enforce consent gating and PII controls in code paths (the doc advises hashing PII, but examples sometimes show plaintext) and validate hashing/consent is implemented before any external transmission. - Decide data residency and retention policies for sensitive signals (user IDs, device info, stack traces) and avoid sending raw identifiers to third parties. - Be cautious with recommended scrapers (Apify) — scraping may have legal/ToS implications and can collect third-party personal data. - If the agent can call the skill autonomously, restrict or audit outbound calls so the agent cannot silently create webhooks or post events to external endpoints without explicit, per-use authorization. If you need this skill's guidance but want lower risk, use it as a read-only reference (do not grant it credentials or network access) and have developers implement the instrumentation with careful secrets management and privacy reviews.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769n6r6hwz7yn26c9af031jn8429ts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Engagement Analytics Tracker Skill

A comprehensive skill for designing, implementing, and interpreting behavioral analytics across four touchpoint layers: website, email, social, and mobile app.

Four Tracking Modules

ModuleReference FileUse When
Website Behavioral Analyticsreferences/website-analytics.mdGTM, GA4, scroll/form/session tracking
Email Engagement Trackerreferences/email-analytics.mdKlaviyo, Mailchimp, open/click/attribution
Social Media Engagementreferences/social-analytics.mdOwned + competitor social tracking
Mobile App Analyticsreferences/mobile-analytics.mdFirebase, Amplitude, Mixpanel, AppsFlyer

Load strategy: Load only the relevant module(s) based on the user's question. For full analytics stack questions ("build me a complete analytics system"), load all four.

Universal Data Principles

These apply across ALL four modules:

Event Naming Convention (Use Everywhere)

object_action
# Examples:
page_viewed          button_clicked       form_abandoned
video_played         product_viewed       email_opened
session_started      feature_used         purchase_completed
  • Always lowercase with underscores
  • Object first, then action
  • Be specific: checkout_form_abandoned not form_event
  • Keep consistent across all platforms — the same action has the same name everywhere

Data Layer Structure (Web)

window.dataLayer = window.dataLayer || [];
dataLayer.push({
  event: 'event_name',           // string — always required
  user_id: 'u_abc123',           // hashed or anonymized
  session_id: 'ses_xyz',
  timestamp: new Date().toISOString(),
  page_path: window.location.pathname,
  // event-specific properties below:
  element_id: 'hero_cta',
  element_text: 'Start Free Trial',
});

Engagement Scoring Formula

A composite score usable across web, email, and app:

Engagement Score = 
  (Sessions × 1) +
  (Pages per session × 2) +
  (Scroll 75%+ events × 3) +
  (CTA clicks × 5) +
  (Email opens × 2) +
  (Email clicks × 5) +
  (App sessions × 3) +
  (Feature completions × 8) +
  (Conversions × 20)

Score tiers:
  0–20:   Cold (re-engagement candidate)
  21–50:  Warming (nurture sequence)
  51–100: Engaged (sales-ready consideration)
  100+:   High Value (priority outreach)

Adjust weights based on business model. Recalculate weekly per user.

Privacy & Compliance Baseline

  • Never collect raw PII in event properties — hash emails/IDs before sending to any platform
  • Implement consent gating: fire tracking tags only after user consents (GDPR)
  • Use server-side tagging (GTM Server-Side) for sensitive data flows
  • Respect Do Not Track headers and browser privacy modes
  • Apple ATT opt-in required for IDFA on iOS — design attribution without assuming access
  • CCPA: provide opt-out mechanism; do not sell behavioral data without consent

Quick Implementation Checklist

New Analytics Setup

  • Define tracking plan: events, properties, naming convention — before touching any tool
  • Set up GTM container (web) or SDK (mobile)
  • Implement dataLayer or SDK event calls
  • Configure GA4 or destination analytics platform
  • Validate all events in debug/preview mode before going live
  • Set up consent management (CMP) gating
  • Create dashboards for key metrics
  • Schedule regular data quality audits

Existing Analytics Audit

  • Are events named consistently? (check for duplicates with different names)
  • Is user_id passed and consistent across sessions and platforms?
  • Are conversion events firing correctly? (test end-to-end)
  • Is there data loss from consent mode, ad blockers, or iOS ATT?
  • Are email UTM parameters correctly attributed in GA4?
  • Are mobile sessions merging correctly with web sessions (cross-device)?

Cross-Channel Attribution Model

When a user touches multiple channels before converting:

Journey: Paid Ad → Email Click → Direct Visit → Converted

Attribution options:
  Last-click:     Direct gets 100% credit (most common, least accurate)
  First-click:    Paid Ad gets 100% credit
  Linear:         All 3 channels get 33% each
  Time-decay:     Direct > Email > Paid Ad (recency-weighted)
  Data-driven:    ML model (GA4 DDA) — most accurate, needs volume

Recommended: Use GA4 Data-Driven Attribution (DDA) when you have 500+ conversions/month. Below that volume, use Linear to avoid bias toward any single channel.

Track cross-channel with UTM parameters on all non-direct traffic:

?utm_source=klaviyo&utm_medium=email&utm_campaign=may_reengagement&utm_content=cta_button

Output Templates

Event Schema Definition

Event Name: [object_action]
Trigger: [when exactly does this fire?]
Properties:
  - property_name (type): description, example value
  - property_name (type): ...
Platform: [GTM / Firebase / Klaviyo / etc.]
Destination: [GA4 / BigQuery / Amplitude / etc.]
Privacy: [PII risk? How handled?]

Analytics Health Report

DATE: [date]
COVERAGE: [% of key user actions being tracked]
DATA QUALITY: [issues found — missing events, duplicates, naming inconsistencies]
TOP INSIGHTS THIS PERIOD: [what the data shows]
ACTION ITEMS: [what to fix or investigate]

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…