ClawHub

Mobile App Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed mobile analytics helper with scoped local notes and expected Firebase, Apple, and Google analytics integrations.

Reasonable to install if you want analytics assistance. Use read-only or reporting-scoped credentials, do not store secrets in the local notes, review what is saved under ~/mobile-app-analytics/, and be cautious about retaining proprietary KPIs, funnels, or product strategy there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill provides detailed analytics guidance, including user properties such as age, gender, interests, and country, but does not warn about privacy, consent, platform disclosure, or data-minimization requirements. In a mobile analytics context this can lead users to collect or process personal data in ways that violate app store rules, privacy laws, or internal policy.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The template explicitly instructs the agent to create and maintain files under the user's home directory, which means the skill performs persistent local writes. While the content is not overtly dangerous, users are not warned in the skill description that local data will be created and updated over time, which creates a transparency and consent issue.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The per-app template expands the same behavior by creating additional app-specific files on disk, increasing the amount of persistent local state. This is low severity because it is ordinary note-taking behavior, but it still modifies local files without an explicit warning or opt-in in the skill description.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to save user preferences to a persistent local file, but it does not instruct the agent to disclose that storage to the user or obtain informed consent first. This creates a privacy and transparency issue because users may reveal app names, analytics tools, KPIs, and concerns without realizing those details will be retained across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs creation of per-app markdown files containing analytics stack, tracked events, funnel stages, and target KPIs, which can expose sensitive business intelligence if stored without disclosure. Even if this is not overtly malicious, silently persisting structured app-specific operational data increases privacy and confidentiality risk, especially for proprietary mobile products.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill encourages proactive activation on broad mentions of app metrics or analytics and frames this as important for future triggering behavior, which can cause the agent to engage or retain context beyond what the user reasonably expects. In this context, the danger is amplified because the same skill also persists preferences and app details, so broad activation can lead to repeated collection and use of sensitive analytics information without well-bounded consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal