Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mixpanel Analytics
v1.0.0Query Mixpanel product analytics — events, funnels, retention, user profiles, and cohorts via the Mixpanel Data Export API. Use when you need to: (1) Query e...
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and scripts/mx.py all describe Mixpanel Data Export API interactions (events, funnels, retention, profiles). The credentials the code uses (service account username/secret or API secret) and an optional project_id are appropriate and expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to run the included CLI script (~/.openclaw/workspace/skills/mixpanel-analytics/scripts/mx.py) and documents the exact env vars the script requires (MIXPANEL_SERVICE_ACCOUNT_USERNAME, MIXPANEL_SERVICE_ACCOUNT_SECRET or MIXPANEL_API_SECRET, optionally MIXPANEL_PROJECT_ID and MIXPANEL_DATA_REGION). The script reads only those Mixpanel-related env vars and calls mixpanel domains. However, the registry metadata lists no required env vars — this mismatch is a scope/metadata coherence issue. Also the shipped script output can expose user properties (PII) which is consistent with its purpose but should be noted.
Install Mechanism
This is instruction-only (no install spec). The skill includes a Python script (no external package download or obscure install). No network-based installers or archive extraction are present in the metadata. That is low risk from an install-mechanism perspective.
Credentials
The code legitimately requires Mixpanel credentials and optionally a project ID and region. However, the skill's declared requirements in the registry show zero required env vars/credentials while SKILL.md and scripts clearly require secrets. The missing declaration is an incoherence and a risk (users may not realize they must provide secrets). Also the script will return user profile properties (potentially PII) — the skill needs access to sensitive data, which is proportionate to its purpose but should be explicitly documented in registry metadata.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or permanent system privileges. Nothing in the files indicates modification of other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward Mixpanel Data Export CLI: it needs Mixpanel service-account credentials or an API secret and will call Mixpanel APIs and print event/profile data (which may include PII). The primary concern is metadata incoherence: the registry lists no required environment variables even though SKILL.md and the script clearly expect MIXPANEL_SERVICE_ACCOUNT_USERNAME, MIXPANEL_SERVICE_ACCOUNT_SECRET or MIXPANEL_API_SECRET and optionally MIXPANEL_PROJECT_ID and MIXPANEL_DATA_REGION. Before installing or enabling autonomous invocation, do the following: (1) Require the publisher/maintainer to update the registry metadata to declare the exact env vars/secrets needed so you can audit them; (2) Review the full scripts/mx.py file (the provided file was truncated in the package listing) to confirm it only contacts mixpanel domains and does not send data to other endpoints or log secrets; (3) Consider running the script in a least-privilege environment and avoid supplying secrets with broad scopes — use service accounts with minimal permissions; (4) Be aware that outputs can include user properties/PII; restrict access to agents and logs accordingly. If the publisher cannot justify the missing metadata or provide the full unobfuscated source, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97enx706x95wt7bn1k8f32vsd83bb60
License
MIT-0
Free to use, modify, and redistribute. No attribution required.