ClawHub

analytics-tracking

Security checks across malware telemetry and agentic risk

Overview

This is a normal analytics setup guide with privacy-sensitive tracking examples, but no hidden or automatic harmful behavior.

Install only if you are comfortable adapting the examples to your privacy rules. Treat user_id as a pseudonymous non-PII identifier, avoid raw emails or direct identifiers in analytics payloads, gate tracking by consent where required, and review Meta CAPI or ad-platform data sharing with legal/privacy stakeholders before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly recommends passing `user_id` and linking analytics data to a CRM/DB without a clear privacy warning, lawful-basis check, or guidance to avoid sending directly identifying or sensitive personal data. In an analytics-implementation skill, this is materially risky because users may copy the example into production and create unnecessary cross-system identity linkage that increases privacy and compliance exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends Meta Conversions API as a best practice but does not warn that server-side events transmit user and event data to a third-party advertising platform, potentially including identifiers and conversion metadata. This omission is risky in this context because implementers may deploy CAPI broadly without assessing consent, data-sharing scope, regional legal requirements, or data-minimization controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented GTM setup explicitly configures `user_id` via custom JavaScript and sends it in the GA4 configuration without any privacy warning, consent prerequisite, or guidance on identifier handling. In an analytics implementation skill, this is risky because users may copy the pattern directly and deploy cross-session identifiers in ways that violate privacy expectations, internal policy, or regulatory requirements if consent and disclosure are not in place.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The signup tracking example pushes `user_id` into the data layer and forwards it as a GA4 event parameter, again without warning about privacy implications, minimization, or consent requirements. Because this file is a how-to reference for production analytics setups, the skill context increases the likelihood of direct implementation, making silent propagation of user identifiers more dangerous than a purely theoretical example.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal