Mixpanel
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mixpanel Version: 1.0.1 The OpenClaw Mixpanel skill is benign. It clearly defines its purpose of interacting with the Mixpanel API for analytics, using standard tools like `curl` and `jq`. It correctly handles sensitive credentials by requiring them as environment variables (`MP_SERVICE_ACCOUNT`, `MP_SERVICE_SECRET`, `MP_PROJECT_ID`) and explicitly instructs the agent not to store them in files or ask users to paste them in chat (`SKILL.md`, `memory-template.md`, `setup.md`). All network calls are directed to legitimate Mixpanel domains, and the skill explicitly disavows sending data to other services. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection aiming for harmful actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the configured environment can query Mixpanel analytics for the configured project, including potentially sensitive business or user data.
The skill needs a Mixpanel service-account secret and project ID to query the user's Mixpanel account, which is expected for the stated purpose but grants access to analytics data.
Requires a Mixpanel Service Account: export MP_SERVICE_ACCOUNT="your-service-account" ... export MP_SERVICE_SECRET="your-service-secret" ... export MP_PROJECT_ID="123456"
Use a least-privilege Mixpanel service account scoped to the intended project, keep the secret out of chat and files, and rotate it if it may have been exposed.
Product context, saved queries, insights, and possibly query results may remain on disk and influence future conversations or analyses.
The skill persistently stores Mixpanel context and cached results locally, which supports the analytics workflow but may retain sensitive analytics outputs across sessions.
Memory lives in `~/mixpanel/` ... Query results cached in ~/mixpanel/
Review the contents of ~/mixpanel/ periodically, avoid saving raw personal data or credentials, and delete or redact cached results that should not persist.