Engagement Analytics Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only analytics guide with no executable installer, but it advises collecting user engagement data and using third-party platform credentials, so privacy and authorization controls matter.
This skill appears safe to install as documentation-only. Before using its examples in production, make sure analytics collection is consent-gated, PII is minimized or hashed, provider credentials are least-privilege, external AI/API processing is allowed by your policies, and any bulk suppression or tracking changes are reviewed before rollout.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or customers could be profiled across sessions and channels if the analytics design is deployed without consent, minimization, and retention limits.
The skill guides creation of persistent per-user behavioral profiles and engagement scores. This is central to analytics, but it is privacy-sensitive and can influence later outreach or segmentation.
## User-Level Data Collection ... first_visit_date last_visit_date visit_count ... customer_ltv engagement_score cohort_month
Use explicit consent gating, hash or avoid personal identifiers, define retention periods, and document how engagement scores will be used.
User-generated comments or private moderation data could be shared with a third-party model provider if the example is implemented as written.
The sentiment-analysis example sends social comments to an external AI provider. This is purpose-aligned for sentiment analysis, but it is an external data flow that should be disclosed and controlled.
Comments: {comments} ... response = client.messages.create(model="claude-sonnet-4-20250514", ...)Only send comments that are permitted for external processing, remove private data where possible, and follow the provider’s data-retention and compliance settings.
Over-scoped or leaked tokens could expose social account analytics or allow unintended account actions depending on granted permissions.
The examples require social-platform access tokens and administrative account authority. This is expected for owned social analytics, but credentials need careful scoping and storage.
TOKEN = "YOUR_LONG_LIVED_ACCESS_TOKEN" ... LinkedIn Marketing API — requires Company Admin access
Use least-privilege API scopes, avoid pasting real tokens into chat, store secrets in a vault, and rotate long-lived tokens on a schedule.
Valid contacts could be removed from marketing campaigns across multiple platforms if automation is deployed without review.
The email guidance includes permanent suppression and cross-platform synchronization. This is normal list hygiene, but incorrect rules could propagate a bad suppression decision across tools.
No opens after sunset flow → suppress permanently - Keep suppression list synchronized across all platforms (Klaviyo + Mailchimp if using both)
Test suppression rules on small segments first, keep audit logs, require approval before permanent or bulk suppression, and provide a recovery path.