Delx Wellness Site Operations
PassAudited by ClawScan on May 6, 2026.
Overview
This is a coherent site-operations skill, but users should handle analytics credentials carefully and review any external repository scripts before running them.
Install only if you work on the Delx Wellness site. Before using it, review the referenced repository, run npm commands in a safe local environment, and provide only the minimum analytics/provider credentials needed for the task.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given real credentials, the agent may be able to access analytics or Search Console data and potentially make provider-side changes.
The workflow may involve analytics/search-console credentials or local token files. That is expected for the stated analytics purpose, but it is still sensitive authority.
checking GA4 or Search Console wiring ... Do not print OAuth tokens, API keys, service-account JSON, local token files
Use least-privilege credentials, avoid pasting secrets into chat, and require explicit approval before any live provider call or write.
Running npm install or project scripts can execute code from the referenced project and its dependencies.
The skill points to an external repository and standard npm workflows, but the repository code and dependencies are not included in the supplied scan context.
Repository: https://github.com/davidmosiah/delx-wellness-site ... Setup - `npm install` - `npm run typecheck` - `npm run build`
Review the repository and lockfile before installing dependencies or running scripts, especially if secrets are present in the environment.
A live provider call or write could change site/provider configuration or consume service quotas if performed without review.
The instructions contemplate writes or live provider calls, while encouraging safer dry-run/status checks first.
Prefer connection_status, manifest, doctor, privacy_audit, or dry-run surfaces before any write or live provider call.
Treat dry-runs and status checks as the default, and approve live writes only after reviewing the intended change.