Is jdrhyne/ga4 safe?

https://clawhub.ai/jdrhyne/ga4

87
SAFE

This GA4 analytics skill appears legitimate and professionally implemented, using standard Google Analytics APIs and proper OAuth authentication. The main concerns are around sensitive file access during monitoring setup (likely unrelated to the skill itself) and the inherent security considerations of handling OAuth credentials.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Canary File Access During Setup -15

Monitoring detected access to sensitive canary files including .env, SSH keys, and AWS credentials during the audit setup phase. While this appears to be related to the monitoring system itself rather than the skill, it indicates potential for sensitive file access.

LOW Executable Python Scripts -20

The skill contains Python scripts that execute when invoked. While this is expected functionality for a GA4 integration, it represents executable code that could potentially be misused.

INFO OAuth Credential Requirements -15

The skill requires sensitive OAuth credentials for Google Analytics access. Users should ensure these credentials are properly secured and have minimal necessary permissions.