Official Supermetrics skill. Query marketing data from 100+ platforms including Google Analytics, Meta Ads, Google Ads, and LinkedIn. Requires API key.
Security Analysis
medium confidenceThe skill's code and instructions mostly match a Supermetrics API client and only need a SUPERMETRICS_API_KEY, but registry metadata and provenance claims are inconsistent (it calls itself 'Official' yet source/homepage/declared env in registry are missing), so proceed with caution.
The SKILL.md and the Python client both implement a Supermetrics API client and require SUPERMETRICS_API_KEY — that is coherent with the stated purpose. However the registry metadata shown above lists no required env vars or primary credential, and the package claims to be 'Official Supermetrics' while source/homepage are unknown. That mismatch (claimed officialness + missing provenance + metadata omission) is an integrity/provenance concern.
Runtime instructions and the code are scoped to calling Supermetrics endpoints (POST /mcp/{tool_name} and GET /health) and returning results. The client only reads SUPERMETRICS_API_KEY (from the environment or a single .env file under ~/.openclaw/skills/<slug>/.env). It does not access other system paths or unrelated environment variables, nor does it send data to unexpected third-party endpoints in the reviewed code.
No install spec is present and the skill is provided as code only — nothing is downloaded or written by an installer. This has lower installation risk.
The code and SKILL.md require SUPERMETRICS_API_KEY, which is proportionate for an API client. However the registry metadata (above) omitted required env vars/primary credential even though SKILL.md declares SUPERMETRICS_API_KEY — this inconsistency is suspicious and could cause the platform to not surface the credential requirement to users. The client will also try to read a .env file at ~/.openclaw/skills/supermetrics-openclawd/.env if the env var is not set.
The skill does not request always: true, does not modify other skills or system-wide agent settings, and does not persist credentials beyond reading an environment variable or its own .env file. Autonomous invocation is allowed (platform default) and not by itself a flag in this package.
Guidance
This package appears to implement a normal Supermetrics API client and only needs SUPERMETRICS_API_KEY, but there are provenance and metadata inconsistencies you should resolve before installing: 1) Verify the skill's publisher/source — it claims to be 'Official' but has no homepage or authoritative source listed. Prefer an integration obtained directly from Supermetrics or a trusted registry entry. 2) Confirm the platform will prompt you to provide SUPERMETRICS_API_KEY (the registry metadata omitted it); do not paste other secrets. 3) Note the code will read a .env file at ~/.openclaw/skills/supermetrics-openclawd/.env if the env var is absent — ensure that file does not contain additional unrelated secrets. 4) Check that the BASE_URL (https://mcp.supermetrics.com) matches Supermetrics' documented endpoints. If you cannot verify publisher authenticity, run the skill in a restricted environment, provide a least-privilege API key (revocable), and monitor network usage and logs. If you want higher assurance, ask the publisher for a homepage/repo or use an official Supermetrics integration.
Latest Release
v1.0.1
- Updated description to indicate this is the official Supermetrics skill and clarify API key requirement. - Bumped version number to 1.0.1. - Added support for loading API key from .env file or as environment variable
Popular Skills
Published by @bartschneider on ClawHub
