Google-analytics-GA4
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent GA4 read-only reporting skill, but it needs a Google service-account key and can optionally send reports to DingTalk, so credentials and outputs should be handled carefully.
This skill looks suitable for read-only GA4 reporting if you trust the source and configure it carefully. Before installing, create a dedicated service account, grant only the minimum GA4 Viewer access needed, do not commit real ga-credentials.json files, verify any local ignore rules yourself, and only enable the DingTalk webhook if that chat destination is approved to receive analytics reports.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the JSON key may be able to query the GA4 properties that service account can access, including sensitive metrics such as conversions or revenue if enabled.
This shows the skill uses a Google service-account key with delegated GA4 property access. That is expected for a GA4 reporting skill, but it is still credentialed access to business analytics data.
Download the file and save it as `ga-credentials.json` ... Role: at least **Viewer**.
Use a dedicated service account with only GA4 Viewer access, avoid unnecessary GCP roles, keep the JSON key out of shared folders or repositories, and rotate or revoke the key if exposed.
If configured, analytics reports may be posted to a DingTalk channel where other people or systems can see them.
The artifact discloses an optional outbound webhook path for sending traffic-source reports to DingTalk. This is purpose-aligned, but it can move analytics data into an external chat system.
Optional (traffic source report + DingTalk): `pip install requests` and set `DINGTALK_WEBHOOK` / `DINGTALK_SECRET`.
Only set DingTalk webhook variables for approved channels, review report contents before sharing, and leave those environment variables unset if external notification is not needed.
A later installation could pull newer dependency versions than the author tested.
The skill depends on third-party PyPI packages with minimum-version constraints rather than exact pinned versions. This is common and purpose-aligned, but future installs may resolve different package versions.
google-analytics-data>=0.19.0 ... google-auth>=2.0.0 ... requests>=2.28.0
Install in a controlled environment and consider pinning versions or using a lockfile if this skill is used in production workflows.