Native Google Analytics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read GA4 reporting data for properties the Google account/token can access until the refresh token is revoked.
The skill requires a Google OAuth client secret and refresh token, but the documented OAuth scope is read-only Analytics access and is aligned with querying GA4 reports.
scopes=['https://www.googleapis.com/auth/analytics.readonly'] ... GOOGLE_CLIENT_SECRET=your-client-secret ... GOOGLE_REFRESH_TOKEN=your-refresh-token
Use a dedicated OAuth client and the minimum GA4 property access needed, keep the client secret and refresh token out of chats/logs, and revoke the token when no longer needed.
Analytics results may be displayed in the agent conversation or copied into downstream outputs if the user asks for broad reports.
The script exposes flexible GA4 report parameters and calls the Google Analytics Data API directly, which is expected for this skill but can retrieve a broad range of authorized analytics data.
url = f"https://analyticsdata.googleapis.com/v1beta/properties/{property_id}:runReport" ... parser.add_argument("--metrics", required=True) ... parser.add_argument("--filter", dest="filter_expr"Ask for specific metrics, dates, and properties, and review report output before sharing it externally.
A future or compromised package version could affect the local setup environment if installed blindly.
The documentation suggests installing an unpinned PyPI package for the one-time OAuth token flow; this is user-directed and purpose-aligned, but the exact package version is not fixed.
pip install google-auth-oauthlib
Install setup dependencies in a trusted environment, consider pinning/verification, or use the included standard-library auth script if appropriate.