MarketUP管理
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: marketup-uc Version: 1.0.0 The 'marketup-uc' skill bundle is a legitimate CRM integration for the MarketUP platform. It includes a setup script (scripts/setup-marketup-api-key.sh) to manage the MARKETUP_API_KEY by storing it in a local environment file (~/.openclaw/.env), and the SKILL.md provides clear, task-aligned instructions for the agent to interact with official endpoints at https://uc.marketup.cn. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken request or wrong target ID could change lead/account ownership, fields, tags, follow-ups, or conversion state.
The skill explicitly supports authenticated write actions against CRM records. This matches the CRM management purpose, but these operations can alter business data.
所有写操作(分配、创建、修改、跟进、转客户、领取、退回、打标签等)必须依据接口返回后再总结结果。
Review target records and payloads before high-impact writes, and use an API key/account with only the permissions needed for the intended CRM work.
Anyone or any process that can use that stored key may be able to access or modify MarketUP CRM data according to the key’s permissions.
The setup flow stores a sensitive MarketUP API key for later use. This is disclosed and expected for the integration, but the key grants account/API authority.
Creates `~/.openclaw/.env` if it does not exist. Updates existing `MARKETUP_API_KEY` when present, otherwise appends `MARKETUP_API_KEY=<user_input>`.
Use a least-privilege MarketUP API key, keep the `.env` file protected, and rotate/revoke the key if it is no longer needed.
Installing/using the skill may trigger local script execution to write configuration under the user’s home directory.
The skill instructs the agent to run a local setup script automatically when the API key is missing. The behavior is disclosed and limited to credential setup.
Do not ask the user to run the script manually. The agent must execute the script itself and only ask the user for the key input prompted by the script.
Review the setup script before first use and cancel the prompt if you do not want the key saved locally.
The credential setup may fail on systems without `rg` even though the registry requirements appear satisfied.
The setup script invokes `rg`, while the supplied requirements list only `curl` and `jq`. This is an under-declared local dependency and may cause setup failure.
if rg -q '^MARKETUP_API_KEY=' "${ENV_FILE}"; thenDeclare `rg` as a required binary or replace it with a dependency already available in the declared environment.