Analytics
v1.0.0Set up product analytics and define metrics that matter. Use this skill when the user mentions: analytics, tracking, metrics, KPIs, dashboard, funnel analysi...
⭐ 0· 12·0 current·0 all-time
byEmerson Braun@emersonbraun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name, description, and detailed SKILL.md all focus on product analytics, tracking plans, metrics, dashboards, and example instrumentation (PostHog). Nothing in the files asks for unrelated capabilities or resources.
Instruction Scope
The SKILL.md stays within analytics scope (defining north star metric, tracking plans, SQL for cohorts, A/B testing guidance). It includes example implementation code that references PostHog and environment variables (e.g., NEXT_PUBLIC_POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_HOST). The examples are reasonable for an analytics guide, but they implicitly assume the developer will provide API keys and choose whether keys are public or secret — the skill itself does not declare or request these.
Install Mechanism
There is no install spec and no code files to execute. This instruction-only skill does not download or install anything, which is the lowest-risk install model.
Credentials
The registry metadata lists no required env vars or credentials, which matches the skill being instruction-only. However, the provided code examples reference environment variables (NEXT_PUBLIC_POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_HOST). That is expected for example code, but users should be careful: NEXT_PUBLIC_* env vars in Next.js are exposed to the browser (intended for public client keys), and any server-side secret (PostHog ingestion keys, database credentials for analytics exports) must be kept out of client code. The skill does not request unrelated or excessive credentials.
Persistence & Privilege
always is false and the skill is user-invocable; there is no install behavior or persistence requested and nothing that modifies other skills or system-wide settings.
Assessment
This skill is a guidance document for analytics — it appears coherent and safe as-is, but before you use its code/examples consider: (1) Decide which analytics provider you will actually use (PostHog, Amplitude, etc.) and follow that provider's best practices. (2) Do NOT put secret ingestion keys into client-side env vars; NEXT_PUBLIC_* keys are public in Next.js. Keep server-side keys and any PII-protecting logic on the backend. (3) Review your tracking plan carefully to avoid collecting personal data unnecessarily; add consent banners and retention/purge policies to meet GDPR and other laws. (4) If you self-host PostHog, secure the host and network access. (5) Test instrumentation in staging before sending production data. If you want me to, I can point out which keys are safe to expose in client code, draft a GDPR-compliant data policy, or convert the tracking snippets into a server-side-safe implementation.Like a lobster shell, security has layers — review code before you run it.
latestvk97560jsv7f108y5kqg6b7j2xn84b2e6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.