Supalytics - Web Analytics

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is a coherent web-analytics CLI skill, but users should review the third-party install, OAuth login, and site-management commands before use.

This skill appears suitable if you trust Supalytics and want an agent to query your analytics. Before installing, review the Bun and Supalytics CLI setup, authenticate only the intended account, and require confirmation before any site add/update/remove or long-running watch command.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill’s required tooling runs external installer/package code on the local machine.

Why it was flagged

The skill instructs installation through a remote shell installer and a globally installed third-party CLI package. This is expected for a CLI-based skill, but users should trust the source before running it.

Skill content

curl -fsSL https://bun.sh/install | bash ... bun add -g @supalytics/cli

Recommendation

Install only from trusted sources, review the Supalytics CLI package/homepage, and avoid running the setup if you do not trust the publisher.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The agent may be able to access analytics, events, conversion, and revenue data available to the logged-in Supalytics account.

Why it was flagged

The skill requires OAuth login to a Supalytics account, which is appropriate for querying private analytics but grants the CLI account-level access to analytics data.

Skill content

supalytics login        # Opens browser for OAuth

Recommendation

Authenticate only with the intended account and site, and avoid sharing outputs containing sensitive business or revenue data unless appropriate.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If used incorrectly, the agent could change Supalytics site configuration or remove a site from the account.

Why it was flagged

Beyond read-only analytics queries, the documented CLI commands can create, update, set defaults for, or remove analytics sites. The artifact presents these as reference commands, not hidden automatic behavior, but they are mutation-capable.

Skill content

supalytics sites add example.com ... supalytics sites update my-site -d example.com ... supalytics remove example.com                 # Remove site

Recommendation

Use site-management commands only after an explicit user request, and confirm before running update, default-change, or removal commands.

Low

#ASI10: Rogue Agents

What this means

A login process may continue while the user completes browser authorization, and realtime watch mode can keep refreshing until stopped.

Why it was flagged

The skill explicitly recommends running the login command in background mode and polling for completion. This is disclosed and tied to OAuth device-flow setup, but it creates a background session.

Skill content

await exec({
  command: 'supalytics login',
  background: true,
  yieldMs: 2000
});

Recommendation

Allow background or watch modes only for the requested task, and stop them when setup or monitoring is complete.