GA4 Analytics
Security checks across malware telemetry and agentic risk
Overview
The analytics features are mostly coherent, but the skill also includes a Google Indexing API URL-removal action and requires sensitive Google service-account credentials, so users should review it carefully before installing.
Install only if you trust the publisher and are comfortable providing a dedicated Google service-account key. Limit that account to the intended GA4 property and Search Console site, review or disable the remove-from-index function unless you need it, confirm all indexing actions before running them, and keep .env and results/ out of version control.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong URL, the agent could request removal/deletion from Google's index and harm search visibility.
The code exposes a function that publishes a Google Indexing API deletion notification for a supplied URL. This can affect public search indexing, while the main skill description emphasizes re-indexing and inspection rather than removals.
export async function removeFromIndex(url: string, options: IndexingOptions = {}): Promise<UrlNotificationResult> { ... type: 'URL_DELETED'Require explicit user confirmation for URL_DELETED operations, validate URLs against the configured Search Console site, and make the removal capability clearly visible in the main skill description.
A service-account key with these permissions can read SEO data and submit indexing notifications for configured Google properties.
The skill uses a Google service-account private key with Search Console read access and Indexing API authority. This is expected for the integration, but it is sensitive delegated account access.
credentials: { client_email: settings.clientEmail, private_key: settings.privateKey }, scopes: ['https://www.googleapis.com/auth/webmasters.readonly', 'https://www.googleapis.com/auth/indexing']Use a dedicated least-privilege service account limited to the intended GA4 property and Search Console site, and rotate the key if it is exposed.
Reports, search queries, revenue metrics, and URL inspection data may remain on disk after use.
The skill persists analytics, search, indexing, and summary outputs locally by default. This is disclosed and useful, but the saved data may contain sensitive business and traffic information.
All results automatically save as timestamped JSON files to `results/{category}/`Store the project in a trusted location, avoid committing results/ or .env files, and delete saved reports when they are no longer needed.
Installing the skill will pull and run standard npm package installation behavior for its dependencies.
The setup script installs npm dependencies. This is normal for a TypeScript Google API toolkit, and a package-lock file is present, but it is still external package installation despite the registry listing no install spec.
cd "$(dirname "$0")" && npm install
Review package.json/package-lock.json, install from a trusted environment, and avoid running setup with elevated privileges.