Google Analytics CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for Google Analytics reporting, but it relies on auto-detected Google credentials and an unpinned external CLI, so users should review credential scope before use.
Install only after confirming you trust the `google-analytics-cli` npm package. Use a dedicated, least-privilege Google service account and pass its credential file explicitly; do not let the skill use broad gcloud default credentials unless you intend to expose all analytics data available to that account.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent may query any Google Analytics accounts and properties that the detected Google credentials can view, including account structure and access/audit information.
The skill can use local Google credential files or gcloud default credentials, not just an explicitly supplied service account. That is high-impact account access and the artifacts do not clearly constrain which accounts/properties may be queried.
Credentials are resolved in this order: 1. `--credentials <path>` flag (per-command) 2. `GOOGLE_APPLICATION_CREDENTIALS` env var 3. `~/.config/google-analytics-cli/credentials.json` (auto-detected) 4. gcloud Application Default Credentials
Use a dedicated service account with Viewer access limited to the intended GA4 property, pass it explicitly with `--credentials`, and avoid relying on gcloud Application Default Credentials unless you have reviewed their scope.
A compromised or unexpected npm package version could run local code and access the Google credentials used for analytics queries.
The skill depends on an unpinned globally installed npm package, while the artifact set contains no package code or install spec to review. This is purpose-aligned, but users should verify the package before letting it handle Google credentials.
If the CLI is not installed, install it: ```bash npm install -g google-analytics-cli ```
Install only from a trusted npm source, consider pinning a known-good version, and review the package before using it with production Google Analytics credentials.