Analytics

Deploy privacy-first analytics with correct API patterns, rate limits, and GDPR compliance.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 3 · 1.8k · 26 current installs · 27 all-time installs

byIván@ivangdavila

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md content matches the stated purpose (Umami, Plausible, PostHog guidance, GDPR notes). However the instructions repeatedly reference storing and using API keys and environment variables, while the registry metadata lists no required env vars/credentials and no primary credential. That mismatch is unexpected and should be clarified. Also the package has no source/homepage, which reduces auditability.

ℹ

Instruction Scope

The instructions stay within analytics configuration and GDPR practices (rate limits, batching, consent checks, bot filtering). They do recommend actions that touch user-identifying data (e.g., IP geolocation checks before tracking) which is within analytics scope but requires careful implementation. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate data.

✓

Install Mechanism

Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.

Credentials

The runtime guidance explicitly tells implementers to store API keys in environment variables and to use site-specific API keys/IDs, but the skill metadata declares no required env vars or primary credential. That gap could lead to confusion about what secrets the skill expects or will use. If you provide credentials when implementing this guidance, ensure they are scoped (project-level keys) and not pasted into prompts.

ℹ

Persistence & Privilege

The skill does not set always:true and does not declare disableModelInvocation, so the model can invoke it when eligible (the default). Because this is instruction-only and declares no credentials, the privilege level is moderate, but you should be aware the skill is invokable by the model and has no provenance metadata.

What to consider before installing

This skill appears to be practical guidance for implementing privacy-first analytics, but it has a few red flags: it references API keys and environment variables while the registry metadata declares none, and there is no source/homepage to verify authorship. Before using it: (1) don't paste any API keys or PII into prompts — keep secrets in properly scoped environment variables; (2) verify the author/source or prefer a known implementation with a repository/homepage; (3) when implementing IP geolocation or consent checks, ensure you handle data minimization and deletion per GDPR; (4) consider restricting autonomous model invocation (set disableModelInvocation or require explicit user intent) if you are concerned about a model acting on these instructions without oversight.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk979vcqbzqvbxgb8jdg2g8f20980tyez

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Critical Implementation Gotchas

Umami API timestamps: Use milliseconds, not seconds. Date.now() in JS, int(time.time() * 1000) in Python.

Plausible API v2: Requires site_id parameter, NOT domain name. Get site_id from dashboard URL first.

PostHog events: Properties must be JSON serializable. Never pass DOM elements or functions.

Rate limits: Umami 600/hour, Plausible 600/hour, PostHog 1000/minute. Implement exponential backoff on 429.

Environment-Specific Setup

Development: ALWAYS use separate project/site for local testing. Production data pollution is irreversible.

Tracking domains: Never hardcode. Use env vars to switch between localhost and production.

Bot filtering: Enable in settings. Privacy tools have weaker bot detection than Google Analytics.

GDPR Compliance Gotchas

EU visitors need explicit consent even for privacy-first tools. Check IP geolocation before tracking.

Data retention: Set automatic deletion - Umami in Settings > Data, Plausible 30 days max, PostHog in project settings.

Cookie-free warning: Umami/Plausible don't use cookies but still need consent for EU visitors if collecting identifiers.

Runtime Safety

Verify script loads before sending events. Check for umami, plausible, or posthog globals first.

Never track PII (email, names, IP) in custom events. Violates privacy principles.

Batch PostHog events via /batch endpoint. Umami/Plausible require individual requests.

Authentication Patterns

Store API keys in environment variables only. Never hardcode.

Umami: Requires website ID + API key combination.

Plausible: Uses Bearer token authentication.

PostHog: Uses project-specific API key.

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…