Google Analytics

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Google Analytics integration, but it gives an agent broad account-changing power without explicit safeguards for destructive changes.

Install only if you trust Membrane and intend to let an agent operate your Google Analytics account. Require explicit approval with the exact account, property, action, and payload before any create, update, delete, or raw proxy request, and prefer read-only reporting actions when possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents destructive capabilities such as deleting a Google Analytics property but provides no warning, confirmation requirement, or guidance to verify user intent before execution. In an agent setting, this increases the chance of accidental or unauthorized destructive changes to analytics resources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal