Safety Report

GA4 Analytics

Name: GA4 Analytics
Rating: 3 (7 reviews)
Author: adamkristopher

Google Analytics 4, Search Console, and Indexing API toolkit. Analyze website traffic, page performance, user demographics, real-time visitors, search queries, and SEO metrics. Use when the user asks to: check site traffic, analyze page views, see traffic sources, view user demographics, get real-time visitor data, check search console queries, analyze SEO performance, request URL re-indexing, inspect index status, compare date ranges, check bounce rates, view conversion data, or get e-commerce

4,670Downloads

16Installs

7Stars

1Versions

API Integration4,971 Search & Retrieval2,116 Monitoring & Logging1,579 Data Analysis904

Security Analysis

medium confidence

Suspicious0.08 risk

The code implements the described GA4/Search Console/Indexing functionality and uses official Google client libraries, but the registry metadata omits the required Google service-account credentials and the skill asks you to store a sensitive private key in a .env and will auto-save results to disk — this mismatch and handling of secrets warrant caution.

Feb 11, 202616 files4 concerns

Purpose & Capabilityconcern

The skill's code and SKILL.md clearly require a Google service account (GA4_PROPERTY_ID, GA4_CLIENT_EMAIL, GA4_PRIVATE_KEY, SEARCH_CONSOLE_SITE_URL) and provide GA4/Search Console/Indexing functions which match the name/description. However the registry metadata lists no required environment variables or primary credential — that is an incoherence that could mislead users about the need to provide sensitive credentials.

Instruction Scopenote

Runtime instructions are explicit: run npm install, create a .env with service-account credentials, then call functions or run scripts. The code only reads environment variables and calls Google APIs; it also auto-saves API responses as timestamped JSON under results/*. There are no instructions or code that read unrelated system files or send data to third-party endpoints outside Google APIs, but storing the private key in .env and auto-saving results (which include propertyId metadata) increases the risk of accidental leakage if the project folder is shared or committed.

Install Mechanismok

There is no custom binary download; installation is standard npm install as documented in SKILL.md and scripts/setup.sh. Dependencies are standard packages (@google-analytics/data, @googleapis/indexing, @googleapis/searchconsole, googleapis, dotenv, tsx, typescript) from npm, which is proportionate for the claimed functionality.

Credentialsconcern

The skill legitimately needs service-account credentials and a property/site identifier to operate, and the code expects GA4_PROPERTY_ID, GA4_CLIENT_EMAIL, GA4_PRIVATE_KEY and SEARCH_CONSOLE_SITE_URL in environment variables. Those are sensitive (private key) and are not declared in the registry metadata. The number and sensitivity of env vars is reasonable for the purpose but the missing metadata declaration and guidance to place the raw private key into .env is a notable risk.

Persistence & Privilegenote

The skill does not request always:true and does not modify other skills. It persists results locally to a results/ directory (JSON files with metadata that include propertyId). Saving outputs to disk is expected for analytics work, but you should be aware that results and metadata could expose site identifiers and should not be committed to public repositories; the skill also creates no other persistent system-wide configuration.

Guidance

What to consider before installing: - Metadata mismatch: the registry metadata does not declare required env vars, but SKILL.md and the code require a Google service-account (GA4_PROPERTY_ID, GA4_CLIENT_EMAIL, GA4_PRIVATE_KEY, SEARCH_CONSOLE_SITE_URL). Treat this as a red flag and verify why metadata was omitted. - Secrets handling: the README instructs placing the service account private key in a .env file. If you use this skill, keep the project directory private, add .env to .gitignore, and rotate the key if it may have been exposed. - Least privilege: create a Google service account with the minimal scopes needed (GA4 Data API, Search Console read, Indexing limited as appropriate). Don't reuse broad or owner-level credentials. - Auto-saved data: the skill saves API responses and metadata (including propertyId) under results/. Review and restrict access to those files and avoid committing them to source control. - Review code locally: since code files are included, inspect scripts/src/* for any custom network endpoints or telemetry (none were found; only official Google client libraries are used). If you are unsure, run the project in an isolated environment (container or ephemeral VM). - Indexing/remove functions: the Indexing API functions can request reindexing or request removals. Only grant indexing permission if you trust the code and the environment, and be cautious when invoking removal operations. If these concerns are acceptable and you verify the code and credentials, the implementation itself aligns with the stated purpose. If you cannot verify the author or reason for the metadata omission, do not install or provide credentials until the issue is resolved.

Latest Release

v1.0.0

Initial release — GA4 Analytics, Search Console, and Indexing API toolkit with 30+ functions

More by @adamkristopher

Botcoin

4 stars

SEO DataForSEO

0 stars

Endpoints

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @adamkristopher on ClawHub