ClawHub
Back to skill
v1.0.0

yandex-metrika-assistant

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:32 AM.

Analysis

The skill is mostly a coherent Yandex Metrika API assistant, but it warrants review because it uses powerful OAuth access and includes unsafe support wording that could lead users to share tokens or passwords with an external/admin contact.

GuidanceReview the OAuth scopes before installing. For ordinary analytics questions, prefer read-only Metrika access. Do not send tokens or passwords to Telegram, private messages, or support admins; keep them in OpenClaw secrets or environment variables. Confirm any write, import, access-grant, or cleanup action before letting the assistant perform it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
docs/INSTALL-FOR-HUMANS-RU.md
Telegram — [https://t.me/maya_pro](https://t.me/maya_pro) ... Не присылайте **токены и пароли** в открытый чат — только в личку доверенному админу или через настройки секретов OpenClaw.

The guide links an external support channel and then allows sending tokens/passwords privately to a trusted admin; this could cause users to disclose OAuth credentials outside OpenClaw secrets.

User impactA user could mistakenly share a Yandex OAuth token or password with a third party, giving that party access to their Metrika data and possibly write permissions.
RecommendationDo not share tokens or passwords through Telegram or private messages; store tokens only in OpenClaw secrets or environment variables, and remove or rewrite this guidance.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
docs/INSTRUCTION-GET-TOKEN-RU.md
Для полного набора (отчёты + управление счётчиками + загрузки) отметьте **все** ... `metrika:read` ... `metrika:write` ... `metrika:expenses` ... `metrika:user_params` ... `metrika:offline_data`

The skill documents OAuth scopes that can read analytics, modify Metrika resources, and upload expenses/user/offline data. This is purpose-aligned for advanced management/import features, but it is powerful access.

User impactIf broad scopes are granted, the assistant can operate with permissions beyond simple read-only reporting.
RecommendationGrant the minimum scopes needed: use read-only access for reports, and add write/import scopes only when you intend to create, modify, or upload Metrika data.