Supermetrics

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do what it says—query Supermetrics marketing data—but it requires API-key access and has incomplete registry provenance and credential metadata.

Install this only if you want the agent to query Supermetrics-connected marketing data. Verify the publisher/provenance, store the API key securely, revoke or scope it when possible, and avoid including unrelated secrets in query text or filters. The provided artifacts do not show hidden exfiltration, destructive actions, or background persistence.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Using the skill gives the agent access through the Supermetrics API key to connected marketing accounts and potentially sensitive business reporting data.

Why it was flagged

The helper reads a Supermetrics API key and sends it as a bearer token for API calls.

Skill content

key = os.environ.get("SUPERMETRICS_API_KEY") ... "Authorization": f"Bearer {_get_api_key()}"

Recommendation

Use a scoped and revocable Supermetrics key if available, keep it out of prompts/logs, and only query accounts and fields you intend the agent to access.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Queries and related marketing-account details are shared with Supermetrics as part of the integration.

Why it was flagged

The functions send query parameters, such as account IDs, fields, date ranges, filters, and search text, to the external Supermetrics MCP endpoint.

Skill content

BASE_URL = "https://mcp.supermetrics.com" ... req = Request(url, data=data, headers=headers, method="POST")

Recommendation

Avoid putting unrelated secrets in search queries or filters, and confirm that Supermetrics is an acceptable processor for the marketing data you request.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may not see the credential requirement from registry metadata alone and cannot verify official provenance from the supplied source/homepage fields.

Why it was flagged

The registry metadata does not provide source/homepage provenance and under-declares the API key requirement that SKILL.md and the code show.

Skill content

Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none; Primary credential: none

Recommendation

Verify the publisher/source before adding an API key, and update the registry metadata to declare SUPERMETRICS_API_KEY and official provenance.