Security audit

analytics-tracking

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only GA4 analytics guidance skill; its User ID advice needs privacy care, but there is no hidden execution, credential access, or autonomous data handling.

Safe to install as analytics guidance. Before enabling User ID, use pseudonymous internal IDs rather than emails, names, phone numbers, or other raw personal data, and confirm consent, retention, access controls, GA4 policy, and applicable privacy-law requirements for your site or app.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends cross-device User ID tracking and sending `user_id` to GA4 without any guardrails around consent, lawful basis, minimization, or prohibition on using directly identifiable information. This can lead users to implement privacy-noncompliant tracking, potentially exposing regulated personal data and creating legal, compliance, and account-enforcement risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.