Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Supalytics - Web Analytics
v1.0.1Query web analytics data using the Supalytics CLI. Use when the user wants to check pageviews, visitors, top pages, traffic sources, referrers, countries, revenue metrics, conversions, funnels, events, or realtime visitors.
⭐ 0· 1.8k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (querying web analytics via the Supalytics CLI) line up with the runtime instructions and required binary (supalytics). The commands and examples are coherent with an analytics CLI.
Instruction Scope
SKILL.md instructs installing Bun and the @supalytics/cli, using supalytics commands, and handling OAuth device flow by capturing and presenting a verification URL. It does not instruct reading unrelated files or environment variables. Minor scope issues: the doc uses jq in examples but jq is not declared as a required binary; the instructions also run a global installer (bun add -g) which affects the host environment.
Install Mechanism
There is no formal install spec; the README tells the user to run curl -fsSL https://bun.sh/install | bash (a remote install script) and then bun add -g @supalytics/cli. While bun.sh is an official site, curl|bash patterns are higher risk because they execute remote code; global installs modify the host environment. The skill does not declare Bun as a required binary despite requiring it in the install steps.
Credentials
The skill requests no environment variables or secrets and relies on OAuth device flow for auth, which is proportionate. Note: OAuth requires the agent to capture and present verification URLs and poll for completion — ensure the agent will not leak that data. Also, examples reference jq but jq is not declared as required.
Persistence & Privilege
always:false and normal autonomous invocation. The skill does not request persistent system-wide configuration or elevated privileges in its metadata. The only notable persistence is the implicit global installation via bun add -g, which writes to the host environment.
What to consider before installing
This skill appears to do what it claims (wrap the Supalytics CLI), but take these precautions before installing or running it:
- Verify sources: bun.sh and @supalytics/cli come from public sources — confirm you trust bun.sh and the package registry before running curl | bash or global installs.
- Prefer manual installs: instead of piping a remote script to bash, manually review the bun installer or install Bun via your OS package manager if available. Consider installing the CLI in a per-project environment rather than globally.
- Confirm prerequisites: the SKILL.md requires Bun but the skill metadata only lists the supalytics binary; ensure Bun is installed and the supalytics binary is present. Examples use jq for JSON parsing — install jq if you need that behavior.
- OAuth handling: the doc asks the agent to capture and display the OAuth verification URL and poll for completion. Only proceed if you trust the agent to not exfiltrate the URL or tokens; prefer doing the browser authorization yourself.
- Scope and sandboxing: because the instruction set runs remote installers and global package installs, run it in a disposable/sandboxed environment (VM or container) if possible.
If the publisher can update the skill to explicitly declare Bun (and jq if intended) in required binaries and avoid recommending curl|bash, that would reduce risk and make the package more coherent.Like a lobster shell, security has layers — review code before you run it.
latestvk976nqwgevddy1c16y9qsea7fx80f4mvmarketingvk976nqwgevddy1c16y9qsea7fx80f4mvproduct analyticsvk976nqwgevddy1c16y9qsea7fx80f4mvweb analyticsvk976nqwgevddy1c16y9qsea7fx80f4mv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binssupalytics