Native Google Analytics
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: native-google-analytics Version: 0.1.1 The skill is designed to query Google Analytics 4 (GA4) data using the official Analytics Data API. It requires sensitive Google OAuth credentials (Client ID, Client Secret, Refresh Token) and a GA4 Property ID, which are explicitly requested as environment variables. The setup instructions in SKILL.md and README.md guide the user through obtaining these credentials via standard Google Cloud procedures and a `python3 -c` command using `google-auth-oauthlib`. The core script `scripts/ga4_query.py` uses these credentials to obtain an access token and then makes read-only API calls to `analyticsdata.googleapis.com`. There is no evidence of data exfiltration to unauthorized endpoints, arbitrary command execution, persistence mechanisms, or malicious prompt injection attempts against the agent. The input parsing for API filters constructs structured JSON and does not appear to allow for code injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read GA4 reporting data for properties the Google account/token can access until the refresh token is revoked.
The skill requires a Google OAuth client secret and refresh token, but the documented OAuth scope is read-only Analytics access and is aligned with querying GA4 reports.
scopes=['https://www.googleapis.com/auth/analytics.readonly'] ... GOOGLE_CLIENT_SECRET=your-client-secret ... GOOGLE_REFRESH_TOKEN=your-refresh-token
Use a dedicated OAuth client and the minimum GA4 property access needed, keep the client secret and refresh token out of chats/logs, and revoke the token when no longer needed.
Analytics results may be displayed in the agent conversation or copied into downstream outputs if the user asks for broad reports.
The script exposes flexible GA4 report parameters and calls the Google Analytics Data API directly, which is expected for this skill but can retrieve a broad range of authorized analytics data.
url = f"https://analyticsdata.googleapis.com/v1beta/properties/{property_id}:runReport" ... parser.add_argument("--metrics", required=True) ... parser.add_argument("--filter", dest="filter_expr"Ask for specific metrics, dates, and properties, and review report output before sharing it externally.
A future or compromised package version could affect the local setup environment if installed blindly.
The documentation suggests installing an unpinned PyPI package for the one-time OAuth token flow; this is user-directed and purpose-aligned, but the exact package version is not fixed.
pip install google-auth-oauthlib
Install setup dependencies in a trusted environment, consider pinning/verification, or use the included standard-library auth script if appropriate.