Safety Report

Agent Analytics

Name: Agent Analytics
Rating: 5 (2 reviews)
Author: dannyshmueli

Web analytics platform that AI agents can query via CLI. Track page views, custom events, run A/B experiments, analyze funnels, retention cohorts, and traffi...

1,361Downloads

7Installs

2Stars

28Versions

CLI & Shell Tools1,805 Calendar & Scheduling1,462 Database Management1,222 Data Analysis904

Security Analysis

high confidence

Clean0.04 risk

The skill's requirements and runtime instructions align with an analytics CLI: it needs an Agent Analytics API key and npx to run the official CLI and to add a tracking snippet; nothing requested appears unrelated to the stated purpose.

Mar 1, 20261 files1 concern

Purpose & Capabilityok

Name/description (web analytics CLI) match the declared requirement for AGENT_ANALYTICS_API_KEY and npx. The skill's actions (creating projects, returning a project write token, adding a tracker snippet, querying events) are coherent with an analytics platform.

Instruction Scopeok

SKILL.md instructs only analytics-related actions (npx CLI login/create/query, adding tracker snippet, firing events). It does not instruct the agent to read unrelated files, access other environment variables, or exfiltrate unrelated data. It does note a separate project write token (for embedding in pages) which is expected behavior for a tracker.

Install Mechanismnote

This is an instruction-only skill (no install spec). It requires npx to run @agent-analytics/cli via npx, which is expected but has operational implications: npx will fetch and execute code from the npm registry at runtime. That is appropriate for a CLI-based integration but users should be aware npx runs remote code.

Credentialsok

Only AGENT_ANALYTICS_API_KEY is required and declared as the primary credential — proportional for a read/query-focused analytics CLI. The instructions also produce a separate project write token (returned by the create command) used in tracker snippets; this is distinct from the API key and is described in the documentation.

Persistence & Privilegeok

The skill does not request always:true and does not ask to modify other skills or system-wide configs. Default autonomous invocation is allowed by platform defaults but is not combined here with any other wide privileges.

Guidance

This skill is internally coherent for an analytics CLI, but take these precautions before installing: (1) Only provide AGENT_ANALYTICS_API_KEY to agents you trust and store it securely. (2) The CLI is invoked via npx, which fetches and executes a package from npm at runtime—verify the package name, publisher, and release source (or prefer installing a pinned package version) before allowing the agent to run npx on your systems. (3) The create flow returns a project write token that you will embed in site pages; treat that token as public-facing (it must be embedded) but avoid exposing any admin API keys or dashboard credentials. (4) If you have concerns, self-hosting the tracker (the README references a GitHub repo and an MCP server) lets you audit the tracker/CLI code first. (5) Note a small metadata mismatch: SKILL.md lists version 3.7.0 while registry version is 4.0.0 — consider confirming the source and latest repo/tag before trusting the package.

Latest Release

v4.0.0

Add tracker features: time-on-page (2a), error tracking (2c), global properties (2d), consent management (2e), performance timing (2f)

More by @dannyshmueli

Table Image

15 stars

Anima

4 stars

Chart Image

4 stars

Polymarket Odds

3 stars

Edge Tts Unlimited

0 stars

GitHub PAT

0 stars

Published by @dannyshmueli on ClawHub