Google Tag Manager
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with managing Google Tag Manager, but it can make live account changes and contains an unsafe create-version command that can execute unintended local Python code from crafted name or notes input.
Only install this if you are comfortable giving the agent access to modify and publish your Google Tag Manager container. Use a least-privilege service account, verify which Google identity is active, review all delete and publish actions before they run, and avoid the create-version name/notes fields until the unsafe Python interpolation is fixed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidentally malformed version name or notes string could cause the agent's local environment to run unintended Python commands.
The create-version command inserts the user-provided version name and notes directly into Python source code. A crafted value containing quotes and Python syntax could execute code locally when the command runs.
body=$(python3 -c "import json; print(json.dumps({k:v for k,v in {'name':'$name','notes':'$notes'}.items() if v}))")Do not use create-version with untrusted name or notes values until this is fixed. The script should pass name and notes via argv, stdin, or environment variables and call json.dumps on those values without building Python code by string interpolation.
The agent could read, edit, or publish GTM changes using the wrong Google identity or a more privileged account than the user intended.
The script automatically uses the active local gcloud credentials before checking the service-account JSON path. That may operate under whichever Google account is currently active, not necessarily the intended GTM service account.
if command -v gcloud &>/dev/null; then
gcloud auth print-access-token 2>/dev/null && return
fiRequire the user to explicitly choose gcloud authentication versus a service-account key, show the active gcloud account before use, and document the required GTM permissions in the registry metadata.
Anyone or any agent using this credential with sufficient GTM access can modify the configured GTM account/container.
The skill requires a Google service-account credential for GTM API access, which is expected for this integration but should be treated as sensitive account authority.
GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
Use a dedicated service account with the minimum GTM permissions needed, store the JSON key securely, and rotate it if exposed.
A mistaken command could remove tracking components or publish changes that affect a live website or marketing setup.
The documented command set includes deleting GTM resources and publishing a container version live. These are purpose-aligned but high-impact operations.
`delete-tag <tagId> [workspaceId]` ... `delete-trigger <triggerId> [workspaceId]` ... `delete-variable <variableId> [workspaceId]` ... `publish <versionId>`
Review proposed changes before delete or publish operations, use a test workspace where possible, and keep a rollback plan using existing GTM versions.
Users may install dependencies ad hoc, increasing setup friction and making dependency provenance/versioning less clear.
The script requires Python packages for service-account JWT authentication, but the registry requirements and install spec do not declare these dependencies.
ERROR: pip3 install PyJWT cryptography
Declare required binaries and Python packages in metadata or an install spec, preferably with pinned versions or clear installation instructions.
A user could accidentally publish a tracking configuration that references domains they did not intend to use.
A cross-domain tracking template contains specific real domains rather than obvious placeholders. If copied unchanged, it could configure unrelated domains in a user's GTM container.
{ "type": "TEMPLATE", "value": "geo.creaitor.ai" },
{ "type": "TEMPLATE", "value": "app.creaitor.ai" }Replace these with clear placeholders such as example.com or explicitly instruct users to substitute only domains they own and want to track.