Query Google Analytics 4 (GA4) data via the Analytics Data API. Use when you need to pull website analytics like top pages, traffic sources, user counts, ses...
Security Analysis
high confidenceThe skill's requirements, instructions, and included scripts align with its stated purpose (reading GA4 data via the Analytics Data API) and do not request or transmit unrelated credentials or perform unexpected actions.
The name/description (GA4 Data API queries) matches the requested environment variables (GA4_PROPERTY_ID, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REFRESH_TOKEN) and the included Python scripts. OAuth client credentials and a refresh token are reasonable and expected for offline read-only access to GA4.
SKILL.md and the scripts limit activity to the Google OAuth endpoints and the Analytics Data API. ga4_auth.py prints tokens to stdout and instructs the user to export the refresh token into their environment; the skill does not persist credentials to disk itself. Users should be aware that following the auth flow will surface tokens in the terminal, which they then may store in their environment (outside the skill).
There is no automated install downloader; the skill is instruction-only and the Python scripts simply require standard pip packages (google-analytics-data, google-auth-oauthlib). The scripts themselves do not fetch arbitrary code from unknown URLs.
Requested environment variables are limited to what the GA4 read-only flow needs (property ID + OAuth client ID/secret/refresh token). No unrelated credentials, system config paths, or secret-named variables are requested.
The skill is not always-enabled, does not alter other skills or system configuration, and does not create persistent background services. It only runs as invoked and uses provided credentials for API calls.
Guidance
This skill appears to do only what it says: run read-only GA4 queries. Before installing or running: (1) review the provided scripts locally (they're small and readable); (2) only use OAuth credentials that you trust and scope to read-only Analytics access; (3) be aware the auth script prints tokens to your terminal — avoid running in shared environments or pasting tokens where others can see them; (4) if you prefer not to use a client secret/refresh token, consider creating dedicated credentials or a least-privileged account for this purpose; and (5) run pip dependency installation in a virtual environment to avoid affecting global packages. If you need higher assurance, ask the publisher for source provenance (the registry owner ID is included) before adding sensitive credentials.
Latest Release
v1.2.2
Scanner hardening: align _meta version with release and keep explicit openclaw env/bin requirements
More by @jdrhyne
Published by @jdrhyne on ClawHub
