ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Matomo Analytics

v1.0.1

Query, analyze, and manage Matomo Analytics with API integration, custom reports, and goal tracking.

0· 369·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: all guidance and examples focus on calling the user's Matomo API and storing only local configuration under ~/matomo/. The skill requests no unrelated binaries, credentials, or config paths.
Instruction Scope
Runtime instructions are narrowly scoped to querying the user's Matomo instance and maintaining local memory under ~/matomo/. The SKILL.md repeatedly warns not to store tokens in plaintext and to reference tokens by name. One operational note: the provided examples use token_auth in query strings (URL) which is standard for Matomo but can expose tokens in logs or intermediary proxies; the document does recommend env var/keychain storage but enforcement is left to the agent and user.
Install Mechanism
No install spec and no code files — this is instruction-only, which minimizes risk because nothing is downloaded or written by an installer.
Credentials
The skill declares no required environment variables or credentials. It suggests (optionally) using MATOMO_TOKEN or a system keychain to store a token, which is proportional to the task of calling a Matomo API.
Persistence & Privilege
always is false, user-invocable is true, and the skill only proposes to write under ~/matomo/. It does not request system-wide changes or access to other skills' configs.
Assessment
This skill appears coherent and does what it says, but keep these precautions in mind before installing or using it: - Confirm the Matomo URL you provide is your own self-hosted instance; the skill will send API requests only to that URL. - Do NOT paste your token into chat. Follow the guidance to store the token in an environment variable (e.g., MATOMO_TOKEN) or the system keychain and reference it by name. - Be aware that including token_auth in a query string (the examples use ?token_auth=...) can expose the token in server logs, proxies, or shell history. Use HTTPS and prefer secure storage; if possible avoid pasting tokens into command lines that might be recorded. - Periodically inspect ~/matomo/ (memory.md, reports) to ensure no credentials were accidentally saved in plaintext. - Because this is instruction-only (no code installed), the agent and you are responsible for following the documented rules; if you need stronger guarantees, prefer a skill that includes vetted code or an installable package from a trusted source. - If you share access with others, rotate the token and limit its scope where Matomo supports that. If you want, I can list the exact places the skill will write (files and directories), or suggest safer command patterns for calling Matomo so tokens are less likely to leak.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebtfsmqrrb2etpxmsbjdnxs81vetw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSLinux · macOS · Windows

Comments