Matomo Analytics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may let the agent access analytics data for the Matomo sites associated with the token you provide.
The skill requires a Matomo API token to query non-public analytics data. This is purpose-aligned and disclosed, but the token may grant access to private analytics information.
Auth token included in requests (user-controlled)
Use a dedicated Matomo token with the minimum permissions needed, store it in an environment variable or keychain as recommended, and revoke it if no longer needed.
Site names, analytics preferences, report templates, and possibly cached analytics context may remain on the local machine for future use.
The skill keeps persistent local context about Matomo sites, preferences, and credential references. This is scoped and purpose-aligned, but it may contain business analytics context reused in later interactions.
Memory lives in `~/matomo/` ... `memory.md` # Sites, credentials ref, preferences
Review `~/matomo/memory.md` periodically, avoid storing raw tokens there, and remove cached analytics information you no longer want retained.