Supermetrics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the agent access through the Supermetrics API key to connected marketing accounts and potentially sensitive business reporting data.
The helper reads a Supermetrics API key and sends it as a bearer token for API calls.
key = os.environ.get("SUPERMETRICS_API_KEY") ... "Authorization": f"Bearer {_get_api_key()}"Use a scoped and revocable Supermetrics key if available, keep it out of prompts/logs, and only query accounts and fields you intend the agent to access.
Queries and related marketing-account details are shared with Supermetrics as part of the integration.
The functions send query parameters, such as account IDs, fields, date ranges, filters, and search text, to the external Supermetrics MCP endpoint.
BASE_URL = "https://mcp.supermetrics.com" ... req = Request(url, data=data, headers=headers, method="POST")
Avoid putting unrelated secrets in search queries or filters, and confirm that Supermetrics is an acceptable processor for the marketing data you request.
A user may not see the credential requirement from registry metadata alone and cannot verify official provenance from the supplied source/homepage fields.
The registry metadata does not provide source/homepage provenance and under-declares the API key requirement that SKILL.md and the code show.
Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none; Primary credential: none
Verify the publisher/source before adding an API key, and update the registry metadata to declare SUPERMETRICS_API_KEY and official provenance.