Google Tag Manager
PassAudited by ClawScan on May 7, 2026.
Overview
The skill appears to be a coherent Google Tag Manager integration, but it uses Maton-managed OAuth/API keys and can make live GTM changes, so writes should be reviewed carefully.
Before installing, make sure you trust Maton with managed OAuth access to Google Tag Manager. Keep MATON_API_KEY private, specify the intended connection when multiple accounts exist, and require explicit confirmation before creating, updating, deleting, or publishing any GTM changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change analytics or marketing tags and potentially publish changes to a live site.
The skill is intended to perform broad GTM management, including actions that can change tags, triggers, variables, and published container versions.
Manage GTM accounts, containers, workspaces, tags, triggers, variables, environments, and container versions.
Confirm the exact GTM account, container, workspace, resource, and intended effect before any write or publish action.
Anyone or any agent with this API key and connection access may be able to act within the connected GTM permissions.
The skill requires a Maton API key and uses the connected Google account’s GTM permissions, which is expected for this integration but is sensitive account authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store MATON_API_KEY securely, avoid sharing it in chats or logs, and revoke or rotate it if exposed.
GTM request details pass through Maton’s service, so users must trust Maton’s handling of OAuth-mediated access and API traffic.
Requests to Google Tag Manager are routed through the Maton gateway, which is disclosed and purpose-aligned but means GTM API traffic depends on a third-party proxy.
Maton proxies requests to `tagmanager.googleapis.com` and automatically injects your OAuth token.
Use this skill only if you trust Maton for managed OAuth, and review active connections regularly.