Back to skill

Security audit

Umami Stats

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only helper for querying Umami analytics with a user-provided API key.

Install only if you want an agent to query your Umami analytics. Use the narrowest Umami API key available, avoid admin-scoped keys unless needed, keep UMAMI_BASE_URL pointed only at Umami Cloud or your trusted self-hosted instance, and prefer explicit website IDs and time ranges when requesting data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

External Transmission

Medium
Category
Data Exfiltration
Content
## API path conventions (explicit)

- **Umami Cloud:** `https://api.umami.is/v1/...`
- **Self-hosted Umami:** `https://<your-host>/api/...`

The script supports both:
Confidence
50% confidence
Finding
https://api.umami.is/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.