GA4 Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently performs read-only GA4 reporting, but users should treat the required Google OAuth refresh token and analytics output as sensitive.
This appears safe for its stated read-only GA4 reporting purpose. Before installing, make sure you are comfortable giving it access to your GA4 reports, keep the refresh token private, verify the OAuth consent is read-only, and install the Python dependencies from trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill gives it read access to GA4 reporting data for the configured property, using a sensitive refresh token.
The skill requires Google OAuth credentials and a GA4 property ID to access account analytics data.
`GA4_PROPERTY_ID`, `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GOOGLE_REFRESH_TOKEN`
Use a dedicated OAuth client, keep the refresh token private, and ensure the token is limited to the intended GA4 property and read-only analytics access.
The granted token can read analytics reports but the reviewed code does not show write or admin operations.
The OAuth setup requests the Google Analytics read-only scope, which supports the stated non-mutating purpose.
SCOPES = ["https://www.googleapis.com/auth/analytics.readonly"]
Confirm the OAuth consent screen shows only the expected read-only Analytics permission before authorizing.
The refresh token could be copied from terminal output or logs if the session is shared or recorded.
The setup helper prints the full refresh token so the user can export it, which is expected for setup but exposes a sensitive credential in terminal output.
print(f"Refresh Token: {tokens.get('refresh_token', 'N/A')}")Run the auth helper only in a private terminal, avoid sharing logs, and store the refresh token in a secure environment-variable manager.
Dependency contents and versions are not fixed by the artifact, so users rely on the current packages resolved by pip.
The script documents runtime dependencies installed from Python packages without pinned versions or a lockfile.
Install: pip install google-analytics-data google-auth-oauthlib
Install dependencies from trusted package indexes and consider pinning known-good versions in your environment.