ClawHub

analytics-sdk-setup

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill guides agents through TikTok and Meta Pixel setup and includes privacy-sensitive examples, but its behavior is disclosed and constrained by conservative guardrails.

Install this only for repositories where you want an agent to review or change Pixel tracking code. Carefully review any generated changes that add identifiers, Advanced Matching, consent logic, CSP allowlists, or third-party tracking, and require privacy/legal approval before sending email, phone, external IDs, or similar user identifiers to analytics platforms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file provides a `ttq.identify(...)` example with hashed email, phone number, and external ID, but does not pair it with any privacy warning, consent prerequisite, or note that hashed identifiers are still personal data in many regimes. In a skill explicitly meant to help agents install and repair production analytics, omission of those guardrails can lead to unauthorized sharing of user identifiers and noncompliant tracking implementations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document includes a `ttq.identify` example sending hashed email, phone number, and external ID without a prominent warning that these are personal identifiers subject to privacy notice, consent, and jurisdiction-specific restrictions. In an analytics-installation skill, this omission is more dangerous because agents may copy the snippet directly into production integrations and transmit user-linked data to a third party under the false assumption that hashing alone makes it safe.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal