Google Analytics
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-analytics Version: 1.0.12 The google-analytics skill provides a legitimate integration with Google Analytics via the Maton API proxy (api.maton.ai). The SKILL.md file contains well-documented instructions for the AI agent, including explicit security guidelines that mandate user approval for high-impact administrative operations and prioritize read-only access for reporting. The provided Python snippets are standard API interactions using urllib, and no evidence of data exfiltration, malicious execution, or prompt-injection attacks was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change or delete analytics configuration that affects data collection.
The skill exposes high-impact Google Analytics administration operations, but the artifact discloses the risk and requires explicit approval for writes.
Admin API (write-capable — can create, update, and delete accounts, properties, and data streams) ... All Admin API write operations require explicit user approval with specific resource identifiers before execution.
Prefer the Data API for reports, and approve Admin API writes only when you have checked the exact account, property, stream, and intended change.
Anyone or any agent with the API key and authorized connection could access the connected Google Analytics resources within the granted scope.
The skill depends on a Maton API key and delegated Google OAuth access, which is expected for the integration but grants access to Google Analytics data and admin functions.
All requests require the Maton API key in the Authorization header ... Maton proxies requests ... and automatically injects your OAuth token.
Store MATON_API_KEY securely, grant only the connections you need, and revoke unused Google Analytics connections.
Google Analytics report data and admin requests may transit the Maton service rather than going directly from your environment to Google.
Requests and responses pass through a third-party API gateway. This is disclosed and central to the managed OAuth design, but it is still a sensitive data boundary.
Maton proxies requests to `analyticsadmin.googleapis.com` and `analyticsdata.googleapis.com` and automatically injects your OAuth token.
Use this skill only if you trust Maton for the connected Google Analytics account and understand its OAuth connection model.