ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

应用资产查询

v1.1.0

友盟应用资产查询 skill。当用户想知道自己在友盟有哪些应用、应用数量、小程序列表时使用。触发词:应用列表、我的应用、小程序列表、应用数量、有哪些应用、应用资产。

0· 93·0 current·0 all-time
byUmeng+@squall0925

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for squall0925/uapp-assets.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "应用资产查询" (squall0925/uapp-assets) from ClawHub.
Skill page: https://clawhub.ai/squall0925/uapp-assets
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install uapp-assets

ClawHub CLI

Package manager switcher

npx clawhub@latest install uapp-assets
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description: read-only app-asset queries against Umeng. Included files: a bundled Umeng OpenAPI Python SDK (many API classes, including create/edit endpoints) and scripts/assets.py as the entry. Including the SDK is reasonable for calling Umeng APIs, but the bundle contains write-capable API classes (create/edit) that are not required by the stated read-only purpose; this increases the attack surface though it may be benign for reuse.
!
Instruction Scope
SKILL.md instructs running python3 scripts/assets.py and describes configuration via --config or UMENG_CONFIG_PATH and local umeng-config.json. The manifest declares no required env vars/credentials, yet runtime clearly depends on a config file that likely contains appKey/secret or accessToken. The instructions do not explicitly declare where credentials come from or what the config contains. Because the runtime script will perform network calls to gateway.open.umeng.com, users need to know what data is read and transmitted; SKILL.md does not show that explicitly.
Install Mechanism
No install spec (instruction-only), so nothing is automatically downloaded at install time. However, the skill includes ~75 files (the SDK and scripts) that will be present on disk and executed when invoked. No external arbitrary-download URLs were used in the manifest.
!
Credentials
No required environment variables or primary credential declared in the registry metadata, but SKILL.md references UMENG_CONFIG_PATH and a umeng-config.json that will contain credentials (appKey/secret or access token). The skill omits declaring these required secrets, which is an incoherence: the agent/operator must provide credentials but the skill metadata doesn't advertise them. Storing secrets in a plaintext JSON file (as suggested) is also a potential security risk.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request permanent/global privileges or modify other skills' config. No other elevated persistence behavior is indicated.
What to consider before installing
This skill appears to be a legitimate Umeng app-listing helper, but there are important mismatches you should address before installing: - Credentials: The SKILL.md expects a umeng-config.json or UMENG_CONFIG_PATH containing your Umeng credentials, but the skill metadata does not declare required env vars or secrets. Do not provide global or highly privileged credentials without review. Inspect the sample umeng-config.json and scripts/assets.py to confirm exactly what keys/tokens are read and stored. - Review the code: Because the package bundles a full OpenAPI SDK (including create/edit API classes), review scripts/assets.py to ensure it only calls read/list/count APIs and does not perform modification or exfiltrate data to unexpected endpoints. - Secret storage: Avoid storing appKey/secret in plaintext in shared locations. Prefer using ephemeral credentials or a secrets manager and limit the permission scope of the credentials used. - Run in isolation: If you want to try it, run the script in a safe environment (isolated container or dedicated account) with only a read-only Umeng account or scoped credentials. If you want, I can: (1) show the contents of scripts/assets.py and the umeng-config.json example so you can verify what is read and sent; (2) list all API classes included to highlight any write-capable methods; or (3) suggest a minimal safe config layout and recommended permission scope for credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705dstj9sq6bdthc2zkbwn2h84xeac
93downloads
0stars
2versions
Updated 1w ago
v1.1.0
MIT-0
Umeng+@squall0925
latest
Download

When to Use

  • 用户询问"我一共注册了多少个应用?"
  • 用户询问"列出我所有的 App?"
  • 用户询问"我的小程序列表?"
  • 用户需要了解应用资产概况
  • 关键词:应用列表、小程序列表、应用数量、应用资产

When NOT to Use

  • 查询具体应用的统计数据(应使用 uapp-core-index)
  • 查询渠道/版本分布(应使用 uapp-channel-version)
  • 查询留存数据(应使用 uapp-retention)
  • 查询事件数据(应使用 uapp-event)
  • 查询 APM 性能数据(应使用 uapp-apm)

边界条件与异常处理

情形处理方式
应用数量很多(>100个)告知总数和当前页,提示「输入 下一页 查看后续数据」
想找某个具体应用先用 --list-apps--list-minis 列出,再结合其他 skill 查询该应用数据
--platform 过滤但无结果提示「未找到该平台应用,支持的过滤值:android/iphone/mini/mini_bytedance 等」

典型问法与 CLI 映射

典型问法CLI 命令
"我一共注册了多少个应用?"--count
"列出我所有的 App?"--list-apps
"我的小程序列表?"--list-minis
"我有多少小程序?"--list-minis
"列出所有应用和小程序"--list-all

CLI 命令

查询 App 数量

python3 scripts/assets.py --count

列出 App 列表

# 第 1 页
python3 scripts/assets.py --list-apps

# 指定页码
python3 scripts/assets.py --list-apps --page 2

# 按 Android 平台过滤
python3 scripts/assets.py --list-apps --platform android

列出小程序列表

# 第 1 页
python3 scripts/assets.py --list-minis

# 按小程序平台过滤(模糊匹配)
python3 scripts/assets.py --list-minis --platform mini

同时列出 App 和小程序

python3 scripts/assets.py --list-all

通用参数

参数说明默认值
--config配置文件路径自动查找
--page页码1
--per-page每页记录数(最大 100)100
--platform平台过滤(支持模糊匹配)
--output输出格式:table/jsontable

平台过滤

支持模糊匹配:

过滤值匹配平台
androidandroid
iphone / iosiphone
mini所有小程序平台(mini_weixin, mini_bytedance 等)
mini_bytedancemini_bytedance(精确匹配)

输出格式

Table 格式(默认)

名称            平台      AppKey                    创建时间
友盟SDK         android   4f83c5d852701564c0000011   2012-04-10

共 893 个应用,当前显示第 1-100 条(第 1/9 页)
提示:输入 "下一页" 查看后续数据

JSON 格式

python3 scripts/assets.py --list-apps --output json

返回结构化 JSON,便于脚本调用。

配置方式

  1. --config /path/to/umeng-config.json: 显式指定配置文件
  2. export UMENG_CONFIG_PATH=/path/to/umeng-config.json: 环境变量
  3. 在当前目录创建 umeng-config.json: 默认查找

配置文件格式参见项目根目录 umeng-config.json 示例。

独立部署

该 skill 内置友盟 OpenAPI Python SDK,可直接复制 skills/uapp-assets/ 目录到其他位置独立运行。

相关 Skill

  • uapp-core-index: 核心指标查询(DAU、新增用户等)
  • uapp-channel-version: 渠道和版本分布查询
  • uapp-retention: 留存数据查询
  • uapp-event: 自定义事件查询
  • uapp-umini: 小程序统计指标查询

Comments

Loading comments...