hydrogen-analytics-tracking
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill facilitates the transmission of analytics data to well-known services (Google Analytics, Meta). It follows privacy best practices by recommending the server-side hashing of sensitive identifiers (email, phone) before they are sent to external endpoints.
- [CREDENTIALS_UNSAFE]: The documentation provides explicit guidance on using environment variables for managing sensitive API secrets and includes instructions for secret rotation in the event of exposure.
- [EXTERNAL_DOWNLOADS]: The skill references official script resources from trusted providers like Shopify and Google, loading them from authoritative domains to ensure integrity and compliance with security standards.
- [COMMAND_EXECUTION]: Referenced helper scripts (e.g., node scripts/search_shopify_docs.mjs) are standard utility tools for developers and do not present a security risk.
- [SAFE]: The skill provides comprehensive instructions for configuring Content Security Policy (CSP) using modern techniques like nonces and strict-dynamic, which significantly enhances the security posture of the tracking implementation.
Audit Metadata