GA4 Analytics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill gives it read access to GA4 reporting data for the configured property, using a sensitive refresh token.
The skill requires Google OAuth credentials and a GA4 property ID to access account analytics data.
`GA4_PROPERTY_ID`, `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GOOGLE_REFRESH_TOKEN`
Use a dedicated OAuth client, keep the refresh token private, and ensure the token is limited to the intended GA4 property and read-only analytics access.
The granted token can read analytics reports but the reviewed code does not show write or admin operations.
The OAuth setup requests the Google Analytics read-only scope, which supports the stated non-mutating purpose.
SCOPES = ["https://www.googleapis.com/auth/analytics.readonly"]
Confirm the OAuth consent screen shows only the expected read-only Analytics permission before authorizing.
The refresh token could be copied from terminal output or logs if the session is shared or recorded.
The setup helper prints the full refresh token so the user can export it, which is expected for setup but exposes a sensitive credential in terminal output.
print(f"Refresh Token: {tokens.get('refresh_token', 'N/A')}")Run the auth helper only in a private terminal, avoid sharing logs, and store the refresh token in a secure environment-variable manager.
Dependency contents and versions are not fixed by the artifact, so users rely on the current packages resolved by pip.
The script documents runtime dependencies installed from Python packages without pinned versions or a lockfile.
Install: pip install google-analytics-data google-auth-oauthlib
Install dependencies from trusted package indexes and consider pinning known-good versions in your environment.