ClawHub

GA4 Connector

Security checks across malware telemetry and agentic risk

Overview

This GA4 connector is purpose-aligned and disclosed, but it stores Google OAuth files locally and edits shell startup configuration during setup.

Install only if you intend to grant read-only access to the selected GA4 property and are comfortable with local OAuth storage. Before running setup, verify the skill path because the docs still reference ga4-data-api, review the script, protect ~/.config/openclaw, and remove the token or revoke Google access when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of scripts that read environment/config, write files under ~/.config and shell config, and perform networked OAuth/API access, yet no permissions are declared. This creates a transparency and consent problem: an agent or user may invoke a skill with side effects and sensitive credential handling without an explicit permission boundary.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The manifest identifies the skill as ga4-connector, but the instructions point to a different directory/name (ga4-data-api). Identity/path mismatches are dangerous because they can cause execution of the wrong skill assets, confusing trust boundaries and potentially running unintended scripts or using stale credentials from another package.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The documentation tells users to use this skill for OAuth setup, but every concrete command targets another skill directory. In a security-sensitive flow involving OAuth client secrets and tokens, this increases the chance of credential placement into the wrong location, accidental execution of unrelated code, or authorization against an unintended implementation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer edits the user's shell startup file to persist GA4_PROPERTY_ID, which exceeds the narrowly expected behavior of querying GA4 data and creates a lasting environment change without explicit consent. While not inherently malicious, silent persistence can surprise users, interfere with existing shell configuration, and normalize broader installer-side profile modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions say the install script copies OAuth client JSON, writes GA4_PROPERTY_ID into shell config, and later stores a token in ~/.config/openclaw, but they do not prominently warn the user beforehand. Missing disclosure around credential storage and shell modification undermines informed consent and can lead to accidental persistence of sensitive secrets on shared or unmanaged systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script copies the OAuth client secret JSON into ~/.config/openclaw, creating a persistent local copy of sensitive credentials without warning, permission hardening, or lifecycle guidance. Storing secrets this way increases exposure if the home directory is backed up, synced, shared, or readable by other local processes/users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script overwrites shell profile content related to GA4_PROPERTY_ID without warning or confirmation, causing persistent user-environment changes on future shell sessions. This is dangerous because installers that silently alter startup files can break expected configuration, make rollback difficult, and erode trust boundaries between setup and ongoing shell behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal