Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This skill is a disclosed read-only helper for querying Umami analytics with a user-provided API key.
Install only if you want an agent to query your Umami analytics. Use the narrowest Umami API key available, avoid admin-scoped keys unless needed, keep UMAMI_BASE_URL pointed only at Umami Cloud or your trusted self-hosted instance, and prefer explicit website IDs and time ranges when requesting data.
## API path conventions (explicit) - **Umami Cloud:** `https://api.umami.is/v1/...` - **Self-hosted Umami:** `https://<your-host>/api/...` The script supports both:
64/64 vendors flagged this skill as clean.
No suspicious patterns detected.