Back to skill
Skillv1.0.0
ClawScan security
Google Tag Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 16, 2026, 9:29 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are broadly consistent with a Google Tag Manager CLI, but there are metadata inconsistencies and a few odd examples that warrant caution before installing or supplying credentials.
- Guidance
- This skill appears to be a straightforward GTM API CLI, but before installing or providing credentials: 1) confirm why the registry metadata omits the environment variables declared in SKILL.md — treat that as a publisher oversight until clarified; 2) only provide a Google service-account JSON limited to the required GTM scopes and grant the service account the minimum GTM user permissions (avoid broader project credentials); 3) be aware the script can create/update/publish containers (high privilege) — review any JSON you pass to create/update operations; 4) the recipes include example domains (geo.creaitor.ai / app.creaitor.ai) — replace with your own domains to avoid accidentally linking to third-party hosts; 5) the Python JWT helper needs PyJWT/cryptography if gcloud isn't available — installing those is required for the script to mint tokens. If the publisher can fix the metadata to declare the required env vars and clarify example placeholders, that would raise confidence.
Review Dimensions
- Purpose & Capability
- noteName/description match the included CLI script (scripts/gtm.sh) which talks to the GTM API. The script requires GTM_ACCOUNT_ID, GTM_CONTAINER_ID and GOOGLE_APPLICATION_CREDENTIALS — all appropriate for GTM operations. However, the registry metadata claims no required env vars/credentials, which is inconsistent with the SKILL.md and the script.
- Instruction Scope
- okSKILL.md instructs the agent/user to set the service-account JSON path and account/container IDs and to run the provided script; the script only calls tagmanager.googleapis.com and does not attempt to read unrelated system files. It does read the service account JSON (expected) and may call gcloud if present (expected).
- Install Mechanism
- okNo install spec — instruction + script only. The script uses curl and python; there is no remote download or extraction of third-party archives. Note: the embedded Python helper requires PyJWT/cryptography if gcloud is not present, so users may need to install those packages locally.
- Credentials
- noteThe env vars the script uses (GOOGLE_APPLICATION_CREDENTIALS, GTM_ACCOUNT_ID, GTM_CONTAINER_ID) are appropriate. The OAuth scopes used (tagmanager.edit.containers, tagmanager.publish, tagmanager.readonly) allow modification and publishing of GTM containers — this is necessary for create/update/publish operations but is a high-privilege capability. Also note the registry metadata lists no required credentials while SKILL.md expects them; that's an inconsistency to resolve.
- Persistence & Privilege
- okThe skill does not request always:true, does not claim to run persistently, and does not alter other skills or system-wide settings. Autonomous invocation (disable-model-invocation=false) is normal for skills but increases blast radius only if the skill were malicious.