GA4 Analytics Toolkit
v1.0.1Google Analytics 4, Search Console, and Indexing API toolkit. Analyze website traffic, page performance, user demographics, real-time visitors, search querie...
⭐ 0· 337·2 current·2 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill implements GA4, Search Console, and Indexing API functionality and legitimately needs a Google service account, property ID, and site URL. However, the registry metadata declares no required env vars while SKILL.md and the code expect GA4_PROPERTY_ID, GA4_CLIENT_EMAIL, GA4_PRIVATE_KEY, and SEARCH_CONSOLE_SITE_URL — this mismatch is likely an oversight but should be corrected.
Instruction Scope
Runtime instructions are explicit: run npm install in scripts/, create a .env with the service account values, call functions that call Google APIs, and auto-save JSON results to results/*. The code reads only those environment vars and writes results to local files; it does not call unexpected third‑party endpoints or attempt to read unrelated system files.
Install Mechanism
The package is instruction-first with bundled source and a package.json; install is via 'cd scripts && npm install'. This is a normal install path but npm install will fetch third‑party dependencies and could run lifecycle scripts — review scripts and package.json before running npm install.
Credentials
Requested credentials (service account email and private key, GA4 property ID, Search Console site URL) are appropriate for the stated purpose. They are highly sensitive (private key) so the skill's need is proportional but you must protect those secrets and use a least‑privilege service account. The skill expects the private key in .env (dotenv) and replaces escaped newlines; ensure you store and handle the key securely.
Persistence & Privilege
always:false and model invocation is allowed (platform default). The skill auto-saves results to a local results/ directory it creates; it does not request persistent platform-wide privileges or modify other skills. Writing files to results/ is expected behavior for reporting tools.
Assessment
This package appears to do what it claims, but it needs Google service‑account credentials (including a private key) and will write results to disk and install npm dependencies. Before installing: (1) verify you trust the skill source (source/homepage unspecified), (2) inspect scripts/package.json for any postinstall or unexpected lifecycle scripts, (3) create a least‑privilege Google service account limited to the GA4, Search Console, and Indexing scopes, (4) never commit the .env or private key to source control, and (5) consider running npm install in an isolated environment (container/VM) if you are unsure. If the registry metadata will be shown to others, ask the publisher to update required env var declarations to avoid confusion.Like a lobster shell, security has layers — review code before you run it.
latestvk975zvk4thm45e6vemrtpyfckh82cwk1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.