Back to skill

Security audit

Analytics Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only analytics tracking skill with expected privacy-sensitive examples, not hidden or autonomous behavior.

Safe to install as an analytics guidance skill. Before copying examples into production, use pseudonymous IDs, avoid direct identifiers and payment-card or billing details, gate analytics and marketing tags behind applicable consent, and review GA4/GTM/Facebook Pixel configuration against your privacy and compliance requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference explicitly recommends tracking persistent identifiers such as user_id and account_id alongside payment and transaction-related events, but it provides no guardrails about consent, data minimization, retention, or avoiding sensitive values. In an analytics-tracking skill, users may copy these schemas directly into production, which can lead to unnecessary collection of personal or financially linked behavioral data and create privacy, compliance, and data exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference explicitly shows sending persistent identifiers and user attributes such as `user_id`, `user_type`, and `plan_name` to GA4/GTM without any accompanying guidance on consent, minimization, hashing/pseudonymization, or platform policy restrictions. In an analytics implementation guide, readers may copy these examples directly, which can lead to privacy violations, non-compliant tracking, and accidental transmission of identifiable user data to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.