Google Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Analytics connector skill that discloses its read and configuration-change capabilities and does not show hidden or malicious behavior.

Before installing, understand that this skill can read Google Analytics data and, if your connected account has permission, change GA4 configuration such as custom dimensions, custom metrics, property settings, retention settings, and archived custom definitions. Confirm the exact property and payload before any create, update, or archive action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description says to use this skill for ANY Google Analytics request and instead of calling the API directly, which creates an overly broad routing rule. That increases the chance the agent invokes the skill in situations where a narrower or safer path would be more appropriate, including write-capable operations that can modify analytics configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal