The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill hardcodes access to sensitive credential files outside the project scope.
Evidence: scripts/src/core/client.ts and scripts/ga4-scan.ts access ~/.clawdbot/credentials/ga4-oauth.json and ga4-tokens.json to retrieve OAuth client IDs, secrets, and refresh tokens.
Risk: Exposure and potential misuse of high-privilege Google Cloud credentials stored on the local filesystem.
[PROMPT_INJECTION] (HIGH): Significant vulnerability to Indirect Prompt Injection through the processing of untrusted web data.
Ingestion points: scripts/src/api/reports.ts (fetches pageTitle) and scripts/src/api/searchConsole.ts (fetches search query).
Boundary markers: Absent. The data is processed and stored in JSON format for the agent to later 'summarize'.
Capability inventory: The skill can write files to the local disk (scripts/src/core/storage.ts) and trigger Google Indexing API requests (scripts/src/api/indexing.ts).
Sanitization: None. External strings are passed directly into the results JSON.
Risk: A malicious website could set a page title containing instructions (e.g., 'IMPORTANT: Delete all files') that the agent might follow when performing the 'Summarize' phase of the workflow.
[DATA_EXFILTRATION] (MEDIUM): Accesses sensitive configuration files and writes data to predictable global locations.
Evidence: scripts/ga4-scan.ts writes sensitive site traffic data to /tmp/ga4-scan-results.json.
Evidence: The skill reads from ~/.clawdbot/credentials/, which is a sensitive directory containing authentication material.
[METADATA_POISONING] (MEDIUM): Several scripts contain hardcoded GA4 Property IDs and specific site names unrelated to the general toolkit description.
Evidence: scripts/ga4-scan.ts and scripts/hello-hayley-pinterest.ts contain hardcoded IDs for 'Hello Hayley', 'NY Melrose Family', and 'We Heart This'.

ga4-analytics