Matomo Analytics
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: matomo Version: 1.0.1 The skill is designed for legitimate Matomo analytics integration and includes strong documentation emphasizing secure credential handling and limited data egress. However, the `SKILL.md` and `api.md` files provide `curl` command patterns that incorporate multiple user-controlled variables (e.g., `{matomo_url}`, `{method}`, `{site_id}`, `{period}`, `{date}`, `{token}`). If the OpenClaw agent executes these commands without robust input sanitization, it introduces a significant shell injection vulnerability, allowing a malicious user to potentially execute arbitrary commands on the host system. While there is no evidence of intentional malicious behavior by the skill author, this high-risk execution pattern makes the skill suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may let the agent access analytics data for the Matomo sites associated with the token you provide.
The skill requires a Matomo API token to query non-public analytics data. This is purpose-aligned and disclosed, but the token may grant access to private analytics information.
Auth token included in requests (user-controlled)
Use a dedicated Matomo token with the minimum permissions needed, store it in an environment variable or keychain as recommended, and revoke it if no longer needed.
Site names, analytics preferences, report templates, and possibly cached analytics context may remain on the local machine for future use.
The skill keeps persistent local context about Matomo sites, preferences, and credential references. This is scoped and purpose-aligned, but it may contain business analytics context reused in later interactions.
Memory lives in `~/matomo/` ... `memory.md` # Sites, credentials ref, preferences
Review `~/matomo/memory.md` periodically, avoid storing raw tokens there, and remove cached analytics information you no longer want retained.