Back to skill
Skillv1.0.12
VirusTotal security
Test · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 16, 2026, 10:31 AM
- Hash
- 3c57c27422788cc7183e82a0df5a2965caf7b0cc1c980bb05ae5584129c323e2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: analytics-tracking-automation Version: 1.0.12 The skill bundle provides comprehensive GA4 and GTM automation, which inherently requires high-risk capabilities such as browser automation (Playwright), OAuth credential caching (credentials.json), and the ability to modify/publish GTM container configurations. While the instructions in SKILL.md and references/output-contract.md include significant safety guardrails—such as mandatory user confirmation gates and 'stop rules' to prevent unauthorized publishing—the power to inject tags into live websites and handle sensitive API tokens warrants a suspicious classification under the provided criteria. No evidence of intentional malice was found, but the attack surface includes potential supply chain risks via 'npx skills add' and local credential storage.
- External report
- View on VirusTotal