Simple Analytics
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Simple Analytics integration, but it gives the agent a broad authenticated API proxy with write/delete methods and no clear approval boundaries.
Install only if you trust Membrane and the npm CLI package. Complete authentication yourself, use the least-privileged Simple Analytics account possible, and require explicit confirmation before allowing the agent to run raw proxy requests or any write/delete operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses the proxy too broadly, it could change or delete Simple Analytics account data rather than only reading analytics or using curated actions.
This exposes a broad authenticated API escape hatch with mutating and delete methods, but the provided instructions do not define confirmation, scope, or rollback guardrails for high-impact requests.
When the available actions don't cover your use case, you can send requests directly to the Simple Analytics API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require the agent to show the exact method, endpoint, and body before any POST, PUT, PATCH, or DELETE request, and prefer discovered Membrane actions over raw proxy calls.
The skill can act through the connected Simple Analytics account once authentication is completed.
The skill relies on delegated Membrane/Simple Analytics authentication and ongoing credential refresh, which is expected for the integration but gives the connected service account authority.
Membrane handles authentication and credentials refresh automatically
Authenticate only accounts you intend the agent to use, review the permissions granted, and revoke the Membrane connection when it is no longer needed.
Installing the latest CLI version can introduce behavior changes outside this skill's reviewed text.
The setup uses a globally installed npm package pinned to the moving @latest tag; this is purpose-aligned but means future package changes affect the skill.
npm install -g @membranehq/cli@latest
Install the CLI only from the official source and consider pinning a known-good version in controlled environments.