Google Analytics Intelligence

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent for GA4 analytics and reporting, but users should notice that it needs Google Analytics access and a Slack webhook that can share business metrics externally.

Before installing, make sure you are comfortable giving the skill access to your GA4 property and a Slack webhook. Use a dedicated Slack channel if the reports may include revenue or conversion data, and keep the API key and webhook secret.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If configured, the agent may be able to retrieve GA4 analytics and revenue-related metrics and post messages to the configured Slack destination.

Why it was flagged

The skill requires a Google Analytics property/API key and a Slack webhook, which are credentials or authority-bearing values tied to third-party accounts.

Skill content

"env": ["GOOGLE_ANALYTICS_PROPERTY_ID", "GOOGLE_ANALYTICS_API_KEY", "SLACK_WEBHOOK_URL"]

Recommendation

Use least-privileged credentials where possible, restrict the Slack webhook to an appropriate channel, and revoke or rotate these values if the skill is no longer needed.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Business analytics, traffic anomalies, conversion metrics, or revenue summaries could be shared into Slack where channel membership and retention policies apply.

Why it was flagged

The skill discloses that analytics results may be sent through Slack, an external webhook/provider boundary.

Skill content

- **Integrating with Slack** for real-time alerts on significant changes

Recommendation

Confirm the Slack destination is appropriate for analytics and revenue data, and avoid sending sensitive details to broad or public channels.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The agent may use local commands to call external APIs or prepare reports as part of the requested analytics workflow.

Why it was flagged

The skill requires command-line tools capable of local execution and network API calls; this is expected for GA4 and Slack integration but still worth noticing.

Skill content

"bins": ["python3", "curl"]

Recommendation

Run it in a normal user environment, review generated commands or outputs when possible, and avoid providing unrelated local secrets.