Plausible
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill lets the agent access Plausible analytics data available to the configured API key.
The skill uses a Plausible API credential, which is expected for querying a user's Plausible analytics account and is handled via environment variable rather than chat or local plaintext storage.
API key comes from `PLAUSIBLE_API_KEY` environment variable. Never hardcode or ask user to paste keys in chat.
Use an API key with the minimum Plausible permissions needed, and avoid setting broader account credentials than necessary.
Site domains, preferred analytics queries, and goals/events may remain stored on the local machine for future agent use.
The skill creates persistent local memory containing analytics-related site and preference context. This is purpose-aligned and bounded to ~/plausible/, but users should know it persists business analytics context locally.
In `~/plausible/memory.md`: - Site IDs (domains) they track - Base URL (plausible.io or self-hosted) - Preferred default time period - Common query patterns - Goals/events they care about
Review ~/plausible/memory.md periodically and avoid storing secrets or sensitive notes there.