Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
umeng-app-analysis
v1.0.0友盟+ App 数据分析工具,通过友盟 Open API 查询移动应用统计数据。支持全部应用统计(App列表、数量、汇总数据)和单个应用详细分析(活跃/新增用户、启动次数、留存率、使用时长、渠道/版本维度、自定义事件及参数分析)。当用户需要查询友盟App统计数据、分析应用指标、获取用户行为数据时使用。认证信息从环...
⭐ 0· 32·0 current·0 all-time
byLeo Wing@leowing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and included SDK files match an Umeng Open API client (expected). However the registry metadata lists no required environment variables or primary credential, while SKILL.md explicitly says authentication comes from UMENG_API_KEY and UMENG_API_SECURITY — this mismatch is unexpected and unexplained.
Instruction Scope
The SKILL.md instructions are narrowly scoped: set two environment variables, pip install requests, then run scripts/umeng.py with command arguments. The runtime behavior is limited to calling Umeng APIs. SKILL.md notes get-app-list may need an access_token but doesn't claim to access unrelated files or secrets.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. The skill bundle nevertheless contains ~70 source files, including scripts/umeng.py (the runtime). No downloads from external URLs or extract steps are present in the manifest.
Credentials
Requiring UMENG_API_KEY and UMENG_API_SECURITY is proportionate for an API client. The problem is the registry metadata did not declare these as required or as the primary credential, creating an inconsistency. Also sdk/test.py contains example code that hardcodes an appkey/secret (placeholders) and notes that secrets will be kept in plain memory — you should confirm the real scripts don't leak or log the secrets.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not declare system paths or tool policies, and does not indicate modification of other skills or global config. Autonomous invocation is allowed (platform default) but is not combined with other elevated privileges here.
What to consider before installing
This package looks like an Umeng Open API client and likely needs two environment variables (UMENG_API_KEY and UMENG_API_SECURITY), but the registry metadata omitted them — before installing, (1) review scripts/umeng.py (the main runtime) to verify it only talks to Umeng endpoints and doesn't exfiltrate data, (2) ensure you are comfortable setting UMENG_API_KEY and UMENG_API_SECURITY in the environment (they'll be stored in memory during use), (3) test it in an isolated environment or container first, and (4) contact the publisher or inspect the code further if you need assurance that no other network calls or logging of secrets occur.Like a lobster shell, security has layers — review code before you run it.
latestvk979tt6nkvcvfqny6y0vmdx0rn84tdv3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.