Back to skill
Skillv1.0.0
ClawScan security
seo giffy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 3:14 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only analytics/tracking guidance skill that requests no credentials, installs, or binaries and is coherent with its stated purpose.
- Guidance
- This skill is a content/implementation guide for analytics (GA4, GTM, UTM) and appears internally consistent. Before installing: (1) confirm you are comfortable the agent may read project-local context files (the skill explicitly checks .agents/product-marketing-context.md or .claude/product-marketing-context.md) — remove or redact sensitive info there if needed; (2) do not paste or store production secrets (measurement IDs, user identifiers, or PII) into shared project files the agent can access; (3) remember code snippets are examples — if you copy them into your site, ensure they do not send PII and that consent/consent-mode rules are applied; (4) if you plan to let the agent act autonomously, consider reviewing the commands or changes it will propose before applying them to production GTM/GA accounts.
Review Dimensions
- Purpose & Capability
- okThe name/description (analytics, GA4, GTM, tracking plans) matches the content of SKILL.md and the included references. There are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteThe runtime instructions ask the agent to read local context files if present (.agents/product-marketing-context.md or .claude/product-marketing-context.md) before asking questions — this is reasonable for context but means the skill will access repository/workspace files if available. Otherwise, instructions are scoped to analytics implementation, debugging, naming, and privacy best-practices and do not direct the agent to read arbitrary system credentials or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files to execute — the skill is instruction-only, which minimizes on-disk risk.
- Credentials
- okThe skill requires no environment variables, secrets, or external credentials. Code snippets reference typical GA4/GTM identifiers (e.g., measurement IDs) which are expected for the purpose but are not requested as required environment values in the registry.
- Persistence & Privilege
- okalways is false (default) and the skill is user-invocable; the skill does not request elevated or permanent platform privileges. Note: autonomous invocation is allowed by default on the platform but is not itself unusual for skills and is not combined here with other concerning flags.