Millimetric Track
ReviewAudited by ClawScan on May 17, 2026.
Overview
This is a transparent Millimetric analytics sender, but it uses a live server API key to create, link, bulk-write, and delete analytics records, so actions should be intentional.
This skill appears safe to install if you want the agent to send Millimetric analytics events. Treat MILLIMETRIC_KEY as a secret, verify the API host, confirm bulk imports and forget/delete requests, and avoid sending unnecessary personal data in traits or properties.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can send authorized Millimetric API requests under the user's account.
The skill requires a live server-side Millimetric credential and sends it as a bearer token to the configured API host.
export MILLIMETRIC_KEY=sk_live_... # server key, scope: ingest ... -H "Authorization: Bearer $MILLIMETRIC_KEY"
Use a least-privilege server key, keep it out of chat and logs, only point MILLIMETRIC_HOST at trusted endpoints, and rotate the key if exposed.
An unintended batch or forget request could pollute analytics data or remove records for the wrong user.
The skill documents API actions that can bulk-create analytics events and delete a user's analytics data.
Bulk-uploading events from a backfill or webhook ... Processing a "forget me" / GDPR erasure request
Confirm target user IDs, event contents, and batch sizes before sending bulk imports or GDPR forget requests.
Installing the optional SDK pulls code from npm, which has normal third-party package provenance and versioning risks.
The documentation offers an optional Node SDK install without a pinned version. It is not part of an automatic install spec.
npm i @millimetric/track-node
If using the SDK alternative, verify the package source and pin a reviewed version in your project.