ClawHub

google analytics and search improve

Security checks across malware telemetry and agentic risk

Overview

This is a coherent website analytics and SEO audit skill, but it handles sensitive analytics data and credentials that users should protect carefully.

Install only if you are comfortable giving the skill access to website analytics and search-console data. Use dedicated read-only credentials, keep .skills-data private and out of git or synced folders, review generated scripts before running them, avoid persona analysis unless you have the right consent/legal basis, and delete or rotate stored keys and exports after the audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The user-persona workflow expands the skill from site analytics into audience profiling, including demographic, behavioral, geographic, language, and interest-based segmentation. That materially changes the privacy risk profile because it enables more invasive analysis of user populations than the stated website-improvement scope suggests, especially when combined with acquisition and engagement data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs storage of raw analytics exports, screenshots, logs, and service-account configuration under a local data directory without an explicit user-facing warning about secrets handling, retention, or sensitive data exposure. Because GA4/GSC exports, logs, and service account files may contain sensitive operational data and credentials, this creates a real risk of accidental disclosure, over-retention, or insecure local storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to download a long-lived Google service-account JSON key and place it in a local configs directory, and to store other secrets in a plaintext .env file, but it does not warn that these are highly sensitive credentials or provide minimum handling safeguards. If the workspace is shared, synced, committed, or exposed through logs/backups, attackers could reuse the credentials to access analytics/search data or abuse associated APIs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference directs collection and analysis of demographics, interests, search queries, funnel behavior, session recordings, CRM exports, and support-ticket data, but it does not include any guidance on consent, legal basis, data minimization, retention, access control, or de-identification. In a marketing/analytics skill, this omission can lead operators to aggregate sensitive or personal data in ways that violate privacy requirements or expose users through over-collection and unsafe handling.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal