Google Tag Manager
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change analytics or marketing tags and potentially publish changes to a live site.
The skill is intended to perform broad GTM management, including actions that can change tags, triggers, variables, and published container versions.
Manage GTM accounts, containers, workspaces, tags, triggers, variables, environments, and container versions.
Confirm the exact GTM account, container, workspace, resource, and intended effect before any write or publish action.
Anyone or any agent with this API key and connection access may be able to act within the connected GTM permissions.
The skill requires a Maton API key and uses the connected Google account’s GTM permissions, which is expected for this integration but is sensitive account authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store MATON_API_KEY securely, avoid sharing it in chats or logs, and revoke or rotate it if exposed.
GTM request details pass through Maton’s service, so users must trust Maton’s handling of OAuth-mediated access and API traffic.
Requests to Google Tag Manager are routed through the Maton gateway, which is disclosed and purpose-aligned but means GTM API traffic depends on a third-party proxy.
Maton proxies requests to `tagmanager.googleapis.com` and automatically injects your OAuth token.
Use this skill only if you trust Maton for managed OAuth, and review active connections regularly.