Supermetrics
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: supermetrics-openclawd Version: 1.0.1 The skill bundle appears benign. The `supermetrics.py` script acts as a client for the Supermetrics API, retrieving the `SUPERMETRICS_API_KEY` from environment variables or a skill-specific `.env` file and using it to authenticate requests to `https://mcp.supermetrics.com`. All network calls are directed to this legitimate domain, and there is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation. The `SKILL.md` file provides clear, non-malicious instructions for using the API and does not contain any prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the agent access through the Supermetrics API key to connected marketing accounts and potentially sensitive business reporting data.
The helper reads a Supermetrics API key and sends it as a bearer token for API calls.
key = os.environ.get("SUPERMETRICS_API_KEY") ... "Authorization": f"Bearer {_get_api_key()}"Use a scoped and revocable Supermetrics key if available, keep it out of prompts/logs, and only query accounts and fields you intend the agent to access.
Queries and related marketing-account details are shared with Supermetrics as part of the integration.
The functions send query parameters, such as account IDs, fields, date ranges, filters, and search text, to the external Supermetrics MCP endpoint.
BASE_URL = "https://mcp.supermetrics.com" ... req = Request(url, data=data, headers=headers, method="POST")
Avoid putting unrelated secrets in search queries or filters, and confirm that Supermetrics is an acceptable processor for the marketing data you request.
A user may not see the credential requirement from registry metadata alone and cannot verify official provenance from the supplied source/homepage fields.
The registry metadata does not provide source/homepage provenance and under-declares the API key requirement that SKILL.md and the code show.
Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none; Primary credential: none
Verify the publisher/source before adding an API key, and update the registry metadata to declare SUPERMETRICS_API_KEY and official provenance.