ClawHub
Back to skill
v1.0.0

Mixpanel Analytics

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:55 AM.

Analysis

This skill appears aligned with querying Mixpanel analytics, but it needs Mixpanel credentials and can expose raw event and user profile data to the agent.

GuidanceInstall only if you are comfortable granting the agent Mixpanel access. Use least-privileged service account credentials, scope them to the intended project, and review broad exports or profile lookups before running them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Export Raw Events ... --from-date 2026-03-20 --to-date 2026-03-21 ... --limit 100

Raw event export is a powerful but disclosed analytics function; the documentation encourages limiting output, but broader ranges could return large or sensitive datasets.

User impactA broad export could place many event records, distinct IDs, and event properties into the agent conversation or downstream analysis.
RecommendationReview date ranges, event filters, and limits before running raw exports or profile lookups, especially in workspaces containing customer data.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The skill includes a local helper script but has limited provenance information in the registry metadata.

User impactUsers have less external provenance to rely on when deciding whether to trust the included helper script with Mixpanel credentials.
RecommendationInspect the included script and prefer installing from a known, maintained source when handling production analytics credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Requires MIXPANEL_SERVICE_ACCOUNT_USERNAME + MIXPANEL_SERVICE_ACCOUNT_SECRET (or MIXPANEL_API_SECRET for legacy projects).

The skill requires Mixpanel account credentials to access a project; this is expected for the integration but grants whatever Mixpanel data access those credentials allow.

User impactIf installed and configured, the agent can query Mixpanel data under the supplied account or API secret, including potentially sensitive analytics and profile information.
RecommendationUse a least-privileged, project-specific service account where possible and avoid sharing broad legacy API secrets.