ClawHub

umeng-app-analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Umeng analytics skill, but it includes under-disclosed write and admin-capable API wrappers beyond ordinary analytics querying.

Install only if you are comfortable giving this skill Umeng API credentials and you can restrict those credentials to the minimum needed. Treat it as a Review item because it is not purely read-only: avoid using broad production credentials, do not let agents call SDK classes outside the documented CLI commands, and review any create or edit action before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a read-only analytics/query tool, but the referenced behavior includes a write operation to create custom events. That mismatch can cause users or orchestrators to invoke the skill under the assumption it is non-destructive, when it may modify remote analytics configuration or data objects, increasing the risk of unauthorized changes and trust-boundary violations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as a read-only analytics/query tool, but it also exposes a write-capable API operation that creates custom events. This is dangerous because users or downstream agents may invoke the skill expecting passive data retrieval, while it can actually modify analytics configuration/state in the Umeng account.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file implements a request for order-analysis data under the `umeng.apptrack` namespace, which does not match the skill’s stated purpose of querying Umeng App statistics via the documented App analytics APIs. This mismatch is dangerous because it can cause the skill to request unrelated or more sensitive business/order data than users expect, creating scope creep, unauthorized data access, and possible credential misuse if the provided secrets have broader permissions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This request class exposes a state-changing API operation (`umeng.uapp.createApp`) that can create new Umeng app data sources, which exceeds the stated skill purpose of querying and analyzing existing app statistics. In an agent context, this expands the tool from read-only analytics into authenticated write capability, increasing the risk of unauthorized resource creation, account misuse, and unintended side effects if prompted or abused.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata says it is for querying and analyzing Umeng app statistics, but this class exposes a state-changing API to create custom events. That capability expands the skill from read-only analytics into write access against the Umeng account, which can be abused to alter telemetry configuration, pollute analytics, or perform unauthorized changes if the agent is granted credentials and this operation is reachable.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file defines a signed, authenticated API request for creating a mini-app data source, which is a state-changing administrative capability. That conflicts with the skill’s declared purpose of read-only app analytics queries, so the skill exposes broader privileges than users would reasonably expect. In a tool configured with production credentials, this can enable unauthorized resource creation and misuse of sensitive app identifiers/keys.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
This request class supports onboarding a new mini-app data source and includes fields for miniAppSecret, miniPublicKey, and miniPrivateKey, introducing handling of high-sensitivity credentials beyond analytics retrieval. Because the stated skill context is statistics analysis, this unjustified write/admin functionality increases the attack surface and could be abused to register rogue integrations or mishandle secrets.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file exposes an edit-capable API request for mini-program data sources, while the skill metadata describes a read-oriented analytics/query tool. That scope mismatch is dangerous because any agent or downstream caller with the skill enabled may gain unintended write access to modify application configuration or credentials, violating least privilege and increasing the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The request object includes fields for changing mini-app configuration and sensitive secrets/keys, which is not justified by the stated purpose of querying Umeng analytics data. In the context of an analytics skill, this expands capability from observation to configuration tampering, making accidental misuse, malicious prompting, or agent compromise much more damaging.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This package initializer exposes write-capable request classes such as app creation and event creation even though the skill metadata describes a read-only analytics/query tool. In an agent setting, exporting these classes broadens the available action surface and can enable unauthorized state-changing operations against the Umeng account if higher-level code or prompts invoke them.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module also exports mini-program creation and editing request types, which materially exceeds the stated scope of querying app statistics. In a tool-integrated environment this mismatch increases the risk that an LLM agent can be induced to perform unintended administrative actions on mini-app assets using the same credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation tells operators to supply sensitive API credentials via environment variables but does not warn that these secrets grant access to external analytics data and potentially mutating API actions. Without sensitivity guidance, users may expose the credentials in logs, shell history, screenshots, shared environments, or grant them to workflows they assume are harmless read-only analytics tools.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file contains a hardcoded API key/secret pair in executable sample code via aop.set_default_appinfo(1000000, "aaaaaaaaaaaa"). Even if these appear to be placeholder values, embedding credential literals in a shipped SDK example normalizes insecure credential handling, can lead users to copy the pattern into production, and creates risk if real secrets are ever substituted and committed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal