by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and environment needs are consistent with its stated purpose of querying GA4 via the official Data API; nothing in the package appears to request unrelated credentials or reach out to unknown endpoints.
评估建议
This appears to be a legitimate GA4 reporting skill. Before installing: (1) do not commit real service-account JSON keys to repos; use a Viewer-limited service account; (2) check there is no unexpected ga-credentials.json with secrets in the skill directory (the repo includes an empty ga-credentials.json placeholder); (3) be aware some scripts set GOOGLE_APPLICATION_CREDENTIALS to the local ga-credentials.json which may override your global setting — remove or edit that line if you prefer a diff...详细分析 ▾
✓ 用途与能力
Name/description (GA4 reporting) matches the included files (CLI, helper, tests, optional report). Required dependencies (google-analytics-data, requests optional) are appropriate for the functionality.
ℹ 指令范围
SKILL.md and code confine actions to creating/using a Google service account JSON key, calling the GA4 Data API, and optionally sending notifications (DingTalk) if the user configures webhook env vars. One small surprise: several scripts unconditionally set GOOGLE_APPLICATION_CREDENTIALS to ./ga-credentials.json which can override an existing environment variable — the docs mention both options, but the script behavior may be unexpected to some users.
✓ 安装机制
No automatic install/downloads or remote installers; dependencies are standard Python packages listed in requirements.txt. The package is shipped as source files (no opaque external payloads).
ℹ 凭证需求
The skill does not request unrelated secrets. It expects a Google service account JSON (GOOGLE_APPLICATION_CREDENTIALS or ga-credentials.json) and may use GA4_PROPERTY_ID or a config.json for property selection. Optional DingTalk webhook env vars are documented — these are reasonable but are unrelated to GA4 data access and should only be set if you intend to use notifications.
✓ 持久化与权限
Skill is not force-included (always:false) and does not modify other skills or global agent configuration. It runs on-demand and has no elevated platform privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/20
Call the Google Analytics API from the command line to read GA4 data (not Universal Analytics).
● 无害
安装命令 点击复制
官方npx clawhub@latest install google-analytics-ga4
镜像加速npx clawhub@latest install google-analytics-ga4 --registry https://cn.clawhub-mirror.com
技能文档
Query GA4 properties using the Google Analytics Data API v1.
Capabilities
- Realtime metrics — e.g. active users in the last N minutes
- Historical reports — custom date ranges, metrics, dimensions, paging
- Metadata — discover valid dimension and metric API names
- Property list hint — Data API alone cannot enumerate properties; doc explains where to find the numeric ID
Setup
1. Create a service account
- Open Google Cloud Console.
- Create or select a project.
- Enable Google Analytics Data API.
- Create a service account: IAM & Admin → Service Accounts → Create service account.
- Finish the wizard.
2. Create a JSON key
- Open the service account → Keys.
- Add key → Create new key → JSON.
- Download the file and save it as
ga-credentials.json(or any path you pass via--credentials/GOOGLE_APPLICATION_CREDENTIALS).
3. Grant GA4 access
- Open Google Analytics.
- Select the property.
- Admin (gear) → Property access management.
- Add users → enter the service account email (
…@….iam.gserviceaccount.com). - Role: at least Viewer.
4. Credentials location
Either:
- A. Place
ga-credentials.jsonin this skill directory, or - B. Set
GOOGLE_APPLICATION_CREDENTIALSto the absolute path of the JSON key.
Never commit real keys. .gitignore excludes ga-credentials.json and config.json.
Examples
Property list guidance
python ga_query.py --action list-properties
Realtime (active users)
python ga_query.py --action realtime \
--property-id YOUR-GA4-PROPERTY-ID
Historical
python ga_query.py --action historical \
--property-id YOUR-GA4-PROPERTY-ID \
--start-date 7daysAgo \
--end-date yesterday \
--metrics activeUsers,sessions,eventCount \
--dimensions country,deviceCategory
Metadata
python ga_query.py --action metadata \
--property-id YOUR-GA4-PROPERTY-ID
Arguments
Common
| Argument | Description | Default |
|---|---|---|
--property-id | Numeric GA4 property ID | Required (except list-properties) |
--credentials | Service account JSON path | ga-credentials.json |
Realtime
| Argument | Description | Default |
|---|---|---|
--metrics | Comma-separated metrics | activeUsers |
--dimensions | Comma-separated dimensions | (none) |
--minute-range | Minutes ago window, e.g. 0-30 | 0-30 |
Historical
| Argument | Description | Default |
|---|---|---|
--start-date | Start (YYYY-MM-DD or relative) | Required |
--end-date | End | Required |
--metrics | Comma-separated metrics | activeUsers |
--dimensions | Comma-separated dimensions | (none) |
--limit | Max rows | 10000 |
--offset | Paging offset | 0 |
Common metrics
| Name | Meaning |
|---|---|
activeUsers | Active users |
sessions | Sessions |
eventCount | Event count |
engagementRate | Engagement rate |
averageSessionDuration | Avg session duration (seconds) |
screenPageViews | Page / screen views |
conversions | Conversions |
totalRevenue | Revenue |
Common dimensions
| Name | Meaning |
|---|---|
country | Country |
city | City |
deviceCategory | desktop / mobile / tablet |
eventName | Event name |
pagePath | Page path |
source | Traffic source |
medium | Medium |
campaign | Campaign |
date | Date |
Date expressions
- Absolute:
2024-01-15 - Relative:
today,yesterday,7daysAgo,30daysAgo
Output
Default: Markdown tables. Use --output json for machine-readable output.
Dependencies
pip install google-analytics-data
Optional (traffic source report + DingTalk): pip install requests and set DINGTALK_WEBHOOK / DINGTALK_SECRET.
References
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制