Umami Stats
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only Umami analytics helper, but it does use an Umami API key and can query any read endpoint the key is allowed to access.
This skill looks safe for its stated read-only analytics purpose. Before installing, make sure you are comfortable giving the agent access to Umami data through UMAMI_API_KEY, use the narrowest API key available, and keep the configured base URL restricted to your trusted Umami Cloud or self-hosted instance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives the agent a way to read Umami data available to the configured API key.
The helper authenticates with an Umami API key from the environment or command line and sends it as the service authentication header. This is expected for the skill, but the key's permissions determine what analytics, website, team, user, or admin read data can be accessed.
parser.add_argument("--api-key", default=os.getenv("UMAMI_API_KEY")) ... "x-umami-api-key": args.api_keyUse a least-privilege Umami API key where possible, keep it in the environment rather than typing it into prompts, and avoid using admin-scoped keys unless needed.
A mistaken or untrusted base URL could receive the Umami API key, and broad endpoints could expose more account data than intended.
The script is a flexible GET helper that accepts arbitrary endpoint paths and a configurable base URL. That flexibility is purpose-aligned for Umami Cloud and self-hosted deployments, but it should be used only with trusted Umami endpoints because authentication headers are attached to the request.
parser.add_argument("--endpoint", required=True ...); parser.add_argument("--base-url", default=os.getenv("UMAMI_BASE_URL", DEFAULT_BASE_URL))Set UMAMI_BASE_URL only to a trusted Umami Cloud or self-hosted instance and prefer known analytics endpoints with explicit time ranges.
A user relying only on registry metadata might miss that the skill needs an Umami API key.
The registry metadata does not declare a credential requirement even though SKILL.md documents UMAMI_API_KEY as required. This is an under-declaration rather than hidden behavior, because the skill text and code disclose the API key use.
Required env vars: none ... Primary credential: none
Treat UMAMI_API_KEY as a required credential for use and review the included script before providing it.