GA4 Analytics Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate Google analytics/SEO toolkit, but it exposes high-impact Google index-removal actions and broad local result storage without enough guardrails.

Install only if you trust the publisher and need automated GA4/Search Console work. Use a dedicated least-privilege Google service account, grant Indexing API access only when needed, manually approve every re-indexing or removal request, restrict URLs to owned verified properties, and regularly review or delete the local results directory because it may contain sensitive business analytics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill implements `removeFromIndex()` using the Google Indexing API with `URL_DELETED`, which enables removal requests rather than only re-indexing and inspection. That capability is more destructive than the declared toolkit scope and could be abused to de-list legitimate pages, causing SEO degradation, traffic loss, and operational disruption if an agent invokes it on unintended or attacker-supplied URLs.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The module automatically persists analytics results to local JSON files, including metadata such as propertyId and optional extraInfo, without any access-control, retention, or minimization safeguards visible here. In a skill whose stated purpose is querying Google Analytics/Search Console data, silent local persistence expands data handling beyond expected transient processing and can expose potentially sensitive traffic or business intelligence data to other local users, logs, backups, or later compromise.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The report-generation API has a side effect of persisting full GA4 responses via saveResult by default, even though its primary interface suggests it only runs reports. Analytics data can contain sensitive business intelligence and, depending on dimensions/metrics used, potentially personal or quasi-identifying information, so silently storing it increases retention and exposure risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow states that all analysis results are automatically written to timestamped JSON files and markdown summaries under the local results directory, but this persistence behavior is not surfaced as a user warning in the skill description. Analytics exports can contain sensitive business and user-behavior data, so silent local retention increases the risk of unintended disclosure to other users, processes, backups, or logs on the host.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises access to real-time visitors, demographics, search queries, and SEO metrics without warning that these outputs may contain privacy-impacting or commercially sensitive analytics information. In this context, the omission is meaningful because the skill is designed to aggregate and expose potentially sensitive operational and behavioral data from Google services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation repeatedly indicates that analytics results are saved to local JSON by default, but it does not warn users that potentially sensitive traffic, query, URL, and indexing data will persist on disk. In a toolkit handling website analytics and search data, silent default persistence increases the risk of unintended data retention, exposure through shared workspaces, backups, or later exfiltration.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The API reference documents a destructive removeFromIndex operation with no cautionary note, confirmation guidance, or scope restrictions. In this skill's SEO/indexing context, an agent or user could invoke it on production URLs and cause search visibility loss, making the omission of warnings and safeguards materially risky.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code persists full GA4 report responses by default via `saveResult(response, 'reports', ...)` without any visible consent, minimization, or sensitivity checks. GA4 data can include potentially sensitive business analytics, page paths, campaign data, transaction identifiers, and user-segmentation metadata, so silent storage increases the risk of unintended retention, secondary exposure, or access by other components/users.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code persists Search Console query results by default whenever `save` is not explicitly disabled, which can silently store sensitive SEO and search performance data such as queries, pages, countries, and device metrics. In an agent skill context, default persistence increases the risk of unintended retention, later disclosure, or cross-user access if storage is shared, logged, or insufficiently protected.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: This code performs automatic file writes with no user-facing notice, consent check, or indication that analytics data is being retained on disk. While not an exploit primitive by itself, the undisclosed persistence creates a privacy and transparency issue and increases the chance that sensitive operational data is stored longer than users expect.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The code saves GA4 report responses to storage without any disclosure or consent mechanism in this file, which creates a transparency and data-handling risk. In the context of an analytics skill with access to Search Console and GA4, retained results may expose traffic patterns, campaign data, revenue metrics, and other sensitive operational data to anyone with storage access.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This code persists Search Console query results by default whenever callers do not explicitly set save=false. Search Console data can contain sensitive business intelligence and potentially user-derived search terms, so silent default persistence increases the risk of unnecessary retention, accidental exposure, and cross-tenant leakage if storage is broadly accessible.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal