Matomo Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Matomo analytics helper that clearly discloses using a user-provided Matomo token and local configuration files, with no evidence of hidden endpoints or destructive behavior.
This skill appears safe to install for its stated purpose. Before using it, create a dedicated Matomo API token with limited permissions if possible, store the token only in a keychain or environment variable, and check the local `~/matomo/` files so they do not contain secrets or analytics details you do not want retained.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may let the agent access analytics data for the Matomo sites associated with the token you provide.
The skill requires a Matomo API token to query non-public analytics data. This is purpose-aligned and disclosed, but the token may grant access to private analytics information.
Auth token included in requests (user-controlled)
Use a dedicated Matomo token with the minimum permissions needed, store it in an environment variable or keychain as recommended, and revoke it if no longer needed.
Site names, analytics preferences, report templates, and possibly cached analytics context may remain on the local machine for future use.
The skill keeps persistent local context about Matomo sites, preferences, and credential references. This is scoped and purpose-aligned, but it may contain business analytics context reused in later interactions.
Memory lives in `~/matomo/` ... `memory.md` # Sites, credentials ref, preferences
Review `~/matomo/memory.md` periodically, avoid storing raw tokens there, and remove cached analytics information you no longer want retained.