ClawHub

GA4 Analytics

v1.2.2

Query Google Analytics 4 (GA4) data via the Analytics Data API. Use when you need to pull website analytics like top pages, traffic sources, user counts, ses...

1· 3.7k·24 current·28 all-time
byJonathan Rhyne@jdrhyne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (GA4 Data API queries) matches the requested environment variables (GA4_PROPERTY_ID, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REFRESH_TOKEN) and the included Python scripts. OAuth client credentials and a refresh token are reasonable and expected for offline read-only access to GA4.
Instruction Scope
SKILL.md and the scripts limit activity to the Google OAuth endpoints and the Analytics Data API. ga4_auth.py prints tokens to stdout and instructs the user to export the refresh token into their environment; the skill does not persist credentials to disk itself. Users should be aware that following the auth flow will surface tokens in the terminal, which they then may store in their environment (outside the skill).
Install Mechanism
There is no automated install downloader; the skill is instruction-only and the Python scripts simply require standard pip packages (google-analytics-data, google-auth-oauthlib). The scripts themselves do not fetch arbitrary code from unknown URLs.
Credentials
Requested environment variables are limited to what the GA4 read-only flow needs (property ID + OAuth client ID/secret/refresh token). No unrelated credentials, system config paths, or secret-named variables are requested.
Persistence & Privilege
The skill is not always-enabled, does not alter other skills or system configuration, and does not create persistent background services. It only runs as invoked and uses provided credentials for API calls.
Assessment
This skill appears to do only what it says: run read-only GA4 queries. Before installing or running: (1) review the provided scripts locally (they're small and readable); (2) only use OAuth credentials that you trust and scope to read-only Analytics access; (3) be aware the auth script prints tokens to your terminal — avoid running in shared environments or pasting tokens where others can see them; (4) if you prefer not to use a client secret/refresh token, consider creating dedicated credentials or a least-privileged account for this purpose; and (5) run pip dependency installation in a virtual environment to avoid affecting global packages. If you need higher assurance, ask the publisher for source provenance (the registry owner ID is included) before adding sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97335vwhqnm0p8nyx7pvz8mcx821vbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Any binpython3, python
EnvGA4_PROPERTY_ID, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REFRESH_TOKEN

Comments