Is google-analytics safe?

https://clawhub.ai/byungkyu/google-analytics

82
SAFE

This is a documentation-only skill (no executable code, no install hooks, no git hooks) that provides Google Analytics API integration through Maton's managed OAuth gateway. The primary risk is architectural: all Google Analytics data and OAuth tokens flow through Maton's third-party infrastructure, creating a supply chain trust dependency. The skill also cross-references another skill (api-gateway) which could expand the third-party proxy surface. No malicious intent detected.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM All traffic proxied through third-party gateway -15

Every API call in this skill routes through gateway.maton.ai and ctrl.maton.ai rather than directly to Google's APIs. Maton's gateway injects OAuth tokens server-side, meaning Maton has access to the user's Google Analytics OAuth credentials and all data flowing through the API. This is by design for the managed OAuth model, but it creates a single point of trust/failure.

MEDIUM Cross-skill reference encourages additional skill installation -15

The skill description contains a direct reference to another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could cause an agent to suggest or install the api-gateway skill, expanding the surface area of third-party proxy integrations without explicit user intent.

LOW API key transmitted to external service -7

MATON_API_KEY is read from the environment and sent as a Bearer token to Maton's servers. This is the expected authentication model, but if the key is leaked or Maton's infrastructure is compromised, the attacker gains access to all connected Google Analytics accounts.

LOW Directive troubleshooting language influences agent behavior -10

The troubleshooting section uses strong directive language ('ALWAYS follow these steps', 'IMPORTANT') that shapes how the agent responds to errors. While contextually appropriate, this pattern could be abused in a modified version to redirect agent behavior during error states.

INFO Executable Python code blocks in SKILL.md -10

The skill contains multiple Python code blocks using urllib.request that an agent would execute directly. These are standard HTTP API call patterns with no obfuscation or unexpected behavior, but they demonstrate that SKILL.md content directly drives code execution on the user's machine.

INFO JIT compilation artifacts in /tmp during install -5

Filesystem monitoring captured creation of numerous .cjs files in /tmp/jiti/ during the audit. These are JIT-compiled modules from the ClawdBot agent runtime, not from the skill itself. They are benign runtime artifacts.

INFO Supply chain risk via Maton dependency -35

The skill creates an architectural dependency where Maton acts as an intermediary for all Google Analytics operations. If Maton's service is compromised, discontinued, or acts maliciously, users lose both functionality and potentially data confidentiality. This is inherent to the managed OAuth model but worth noting.