Plausible Analytics
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Plausible Analytics helper that uses your Plausible API key to read analytics from Plausible, with no hidden endpoints, persistence, or destructive behavior shown.
Install if you are comfortable letting the agent use PLAUSIBLE_API_KEY to read Plausible analytics. Prefer a limited/read-only key if available, avoid exposing the environment variable outside trusted sessions, and remember that analytics outputs such as referrers, pages, countries, and traffic counts may be sensitive.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can retrieve Plausible analytics for any site the API key is allowed to access, and those results may include sensitive business traffic data.
The script reads a Plausible API key from the environment and sends it to Plausible as the provider authentication token. This is expected for the stated purpose, but it means the skill can access analytics permitted by that key.
const apiKey = process.env.PLAUSIBLE_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Use the least-privileged Plausible API key available, set it only in trusted environments, and confirm the site ID before running queries.
You have less information about the publisher or upstream project beyond the files included in this package.
The registry metadata does not provide an upstream source or homepage, so users have less external provenance information. The reviewed package contents are present and simple, so this is only a notice.
Source: unknown Homepage: none
Review the included scripts before installing and prefer trusted publishers or packages with clear upstream source links when possible.