ClawHub

Umami Stats

v1.0.0

Query Umami Cloud (v2) analytics data via API using an environment-provided API key. Use when agents need website traffic, pages, events, sessions, realtime, reports, or attribution data for analysis, planning, experiments, or monitoring. Includes read-only API querying patterns, endpoint selection guidance, and reusable scripts for flexible endpoint + time-range requests.

0· 1k·0 current·0 all-time
by@hfichter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description match the included script and docs: it is a read-only Umami API query helper. However the registry metadata lists no required environment variables or primary credential, while SKILL.md and scripts/umami_query.py clearly require an UMAMI_API_KEY (and optionally UMAMI_BASE_URL, UMAMI_WEBSITE_ID, UMAMI_DEPLOYMENT). That metadata mismatch is an integrity/provenance concern. Also source/homepage are missing, so origin can't be verified.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python script to perform GET requests against Umami endpoints. The instructions keep scope to read-only API calls and do not ask the agent to read local files or unrelated environment variables. A caution: the script allows an arbitrary --base-url (defaulting to api.umami.is); if an operator or agent sets --base-url to an attacker-controlled host, the API key and requested paths could be sent to that host. The script itself only issues GETs and prints JSON.
Install Mechanism
There is no install spec (instruction-only) and the included helper script is plain Python. Nothing is downloaded or installed at runtime by the skill package itself, so installation-risk is low. The risk surface is limited to running the included script.
Credentials
The environment variables the SKILL.md and script reference (UMAMI_API_KEY, UMAMI_BASE_URL, UMAMI_WEBSITE_ID, UMAMI_DEPLOYMENT) are proportional to the stated purpose: an API key is required to query Umami. The concern is that the registry metadata did not declare these requirements or a primary credential, so the skill could be installed without the user realizing an API key is required or how it will be used. UMAMI_API_KEY is sensitive; verify scope/permissions before providing it.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system configs, and does not require elevated OS privileges. It can be invoked autonomously (disable-model-invocation:false), which is normal for skills — combine that with the credential-availability note above when deciding whether to allow autonomous runs.
What to consider before installing
Summary of what to check before installing: - Provenance: the skill has no homepage/source repository listed. Prefer skills with a verifiable source or review the included files yourself before use. - Required credential: SKILL.md and the script require UMAMI_API_KEY (and optionally UMAMI_BASE_URL, UMAMI_WEBSITE_ID). The registry metadata incorrectly lists no required env vars — treat that as a red flag. - Principle of least privilege: only provide an API key with the minimum necessary scope (read-only, limited websites) and avoid using an admin or wide-scope key. If Umami supports scoped/read-only keys, create one for this skill. - Base URL caution: the script permits an arbitrary --base-url. Do not let agents or untrusted actors change base_url to an attacker-controlled host (that would send your API key to that host). Prefer the default cloud base URL (https://api.umami.is) unless you host Umami yourself and understand the endpoint. - Review the code: the bundled scripts/umami_query.py is small and readable; scan it yourself (or have someone you trust do so) to confirm there are no hidden network calls or local-file reads beyond what's documented. - Autonomous invocation: the skill may be invoked autonomously by the agent. If you are uncomfortable with that combined with giving the skill an API key, either disable autonomous invocation for this skill or only run it when you explicitly trigger it. If you cannot verify the author or do not want to expose an API key, do not install; alternatively, test with a limited-scope key in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ax7p5pn06yntra8gc4wxc980parh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments