Back to skill

Security audit

analytics-tracking

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only GA4 analytics guidance skill; its User ID advice needs privacy care, but there is no hidden execution, credential access, or autonomous data handling.

Safe to install as analytics guidance. Before enabling User ID, use pseudonymous internal IDs rather than emails, names, phone numbers, or other raw personal data, and confirm consent, retention, access controls, GA4 policy, and applicable privacy-law requirements for your site or app.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends cross-device User ID tracking and sending `user_id` to GA4 without any guardrails around consent, lawful basis, minimization, or prohibition on using directly identifiable information. This can lead users to implement privacy-noncompliant tracking, potentially exposing regulated personal data and creating legal, compliance, and account-enforcement risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.