Shopify/WooCommerce Marketing Partner: Attribuly AllyClaw
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Attribuly marketing analytics skill, but it uses an Attribuly API key to access sensitive ecommerce and advertising performance data.
This skill appears suitable if you want Attribuly-powered marketing analysis and trust the Attribuly API integration. Before installing, make sure the API key is appropriately scoped, understand that revenue/profit/ad-performance data may appear in agent responses, and keep human approval for any recommended campaign pauses, budget changes, or other business-impacting actions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill may give the agent access to sensitive business analytics in Attribuly, such as spend, revenue, profit, and campaign performance.
The skill expects an Attribuly API key, which can grant access to the user's Attribuly account data used for marketing analytics.
Primary credential: ATTRIBULY_API_KEY
Use a least-privilege or read-only Attribuly key if available, rotate/revoke the key when no longer needed, and only install if you trust the Attribuly integration.
Your store and advertising performance data may be fetched from Attribuly and used in the agent's responses.
The skill sends authenticated requests to an external Attribuly API and retrieves sensitive ecommerce funnel and revenue metrics.
Base URL: `https://data.api.attribuly.com` **Authentication:** `ApiKey` header ... `landing_page`, `spend`, `unique_users`, `purchases`, `revenue`
Confirm that this data flow is acceptable for your organization and avoid sharing reports into chats or workspaces where sensitive commercial metrics should not appear.
The agent could retrieve more granular connected Google Ads information, such as search terms or asset performance, when performing creative analysis.
The skill documents a flexible Google Ads query endpoint through Attribuly, which is broader than a fixed report endpoint even though the listed use is read-only and marketing-related.
Endpoint: `POST /{version}/api/source/google-query` ... `gaql` ... Google Ads Query Language query stringKeep queries limited to the documented marketing-analysis use cases and ask the agent to summarize what it is querying before broad account-level reads.
If scheduling is enabled, the agent may periodically access Attribuly data to create marketing reports.
The reference material describes recurring scheduled reports. No install-time scheduler or background worker is shown, but the instruction is relevant if the host agent supports scheduled autonomous runs.
**Scheduled**: Every Monday at 09:00 AM (client's timezone) ... **End of Week**: Friday at 17:00 PM for preliminary insights
Only enable recurring reports intentionally, verify the schedule and recipients, and disable or revoke API access if you no longer want periodic reporting.