ClawHub

Analytics

v1.0.0

Deploy privacy-first analytics with correct API patterns, rate limits, and GDPR compliance.

3· 2.5k·40 current·41 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md content matches the stated purpose (Umami, Plausible, PostHog guidance, GDPR notes). However the instructions repeatedly reference storing and using API keys and environment variables, while the registry metadata lists no required env vars/credentials and no primary credential. That mismatch is unexpected and should be clarified. Also the package has no source/homepage, which reduces auditability.
Instruction Scope
The instructions stay within analytics configuration and GDPR practices (rate limits, batching, consent checks, bot filtering). They do recommend actions that touch user-identifying data (e.g., IP geolocation checks before tracking) which is within analytics scope but requires careful implementation. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate data.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.
!
Credentials
The runtime guidance explicitly tells implementers to store API keys in environment variables and to use site-specific API keys/IDs, but the skill metadata declares no required env vars or primary credential. That gap could lead to confusion about what secrets the skill expects or will use. If you provide credentials when implementing this guidance, ensure they are scoped (project-level keys) and not pasted into prompts.
Persistence & Privilege
The skill does not set always:true and does not declare disableModelInvocation, so the model can invoke it when eligible (the default). Because this is instruction-only and declares no credentials, the privilege level is moderate, but you should be aware the skill is invokable by the model and has no provenance metadata.
What to consider before installing
This skill appears to be practical guidance for implementing privacy-first analytics, but it has a few red flags: it references API keys and environment variables while the registry metadata declares none, and there is no source/homepage to verify authorship. Before using it: (1) don't paste any API keys or PII into prompts — keep secrets in properly scoped environment variables; (2) verify the author/source or prefer a known implementation with a repository/homepage; (3) when implementing IP geolocation or consent checks, ensure you handle data minimization and deletion per GDPR; (4) consider restricting autonomous model invocation (set disableModelInvocation or require explicit user intent) if you are concerned about a model acting on these instructions without oversight.

Like a lobster shell, security has layers — review code before you run it.

latestvk979vcqbzqvbxgb8jdg2g8f20980tyez

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments