Back to skill

Security audit

Google Analytics

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for Google Analytics work, with one documentation inconsistency users should verify before allowing configuration changes.

Install if you want an agent to help with Google Analytics analysis or configuration. Before approving any write action, confirm the exact property, event, and intended change; for GA4 key events, verify in the Google Analytics UI if the API path is unsupported.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation contains contradictory guidance about whether key events can be created via API. Earlier sections instruct the agent to preview and confirm key event creation, while the notes state that key events are read-only via API and require the Google Analytics UI. This inconsistency can cause an agent to attempt unsupported or incorrect write operations, mislead users about platform capabilities, and weaken safeguards around state-changing actions.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.