Datafast Analytics
v0.1.0Query DataFast website analytics and visitor data via the DataFast API for metrics, time series, realtime stats, breakdowns, visitor details, and goal/paymen...
⭐ 0· 699·2 current·2 all-time
by@bennyqp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the instructions: all runtime actions are calls to the DataFast API (GET/POST/DELETE analytics, visitors, goals, payments). The skill does not ask for unrelated binaries, cloud credentials, or system-wide access.
Instruction Scope
Instructions are narrowly scoped to building HTTP requests with curl, reading the API key from ~/.config/datafast/api_key, parsing JSON, and summarizing results. The SKILL.md correctly warns to confirm destructive DELETE actions. Minor gap: it references a local docs file at references/datafast-api-docs.md which is not included in the manifest — that is a missing file, not an escalation of privileges.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk writes and arbitrary code execution risk.
Credentials
The only secret the skill uses is a DataFast API key stored in ~/.config/datafast/api_key (SKILL.md shows reading it into DATAFAST_API_KEY). No unrelated environment variables or credentials are requested. Recommend securing the API key file (avoid world-readable permissions) and using a limited-scope key when possible. The skill does not declare required env vars in the registry metadata; instead it relies on a local config file — this is coherent but worth noting.
Persistence & Privilege
always:false and no install actions. The skill does not request permanent agent-level privileges, nor does it modify other skills or system-wide config.
Assessment
This skill appears to do what it says: make authenticated HTTP calls to DataFast and summarize analytics. Before installing, consider: 1) Only provide a DataFast API key you trust (create a limited-scope key if the service supports it). 2) Store the key securely (e.g., ~/.config/datafast/api_key with chmod 600) rather than leaving it world-readable. 3) The skill will make network calls to https://datafa.st — ensure you trust that endpoint. 4) The SKILL.md references a local API docs file that isn't included; ask the publisher or inspect any code repo before cloning into your workspace. 5) When the skill wants to DELETE goals/payments, it correctly asks for explicit confirmation — always verify filters/time ranges before allowing destructive actions.Like a lobster shell, security has layers — review code before you run it.
latestvk970hwfrg44v3v3xnyv34xtrf581fgyn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.