ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

umami-setup

v1.0.0

Add Umami self-hosted analytics to any website with adblocker-proof proxy. Covers: creating the website in Umami, setting up a same-domain proxy (Next.js, As...

0· 382·0 current·0 all-time
byErwan Lee Pesle@superworldsavior
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The README-style SKILL.md describes creating a website in Umami and configuring same-domain proxy rewrites for Next.js/Astro/Vercel/Caddy/Nginx. All required capabilities (Umami instance, Umami admin credentials, and access to the website codebase) are consistent with the described functionality. The skill does not request unrelated cloud credentials or binaries.
Instruction Scope
Instructions are explicit and limited to actions necessary for the task: performing the Umami API login, creating a website via the API, configuring proxy rewrites/reverse-proxy rules, and verifying tracking. The instructions do not instruct reading unrelated system files or transmitting data to third-party endpoints beyond the Umami host and the user's domain.
Install Mechanism
This is instruction-only with no install spec and no code files; nothing is written to disk or fetched automatically, which minimizes install-time risk.
Credentials
The skill does not declare required env vars, but its steps require Umami admin credentials and knowledge of the Umami host and website codebase — these are expected and proportional. These credentials are sensitive (they produce bearer tokens used to create websites); the user should avoid sharing them and run commands in a trusted environment.
Persistence & Privilege
always:false and no install actions mean the skill does not persist or request elevated platform privileges. It will not be permanently present or modify other skills/configurations.
Assessment
This is a how-to guide you will follow manually. Before proceeding: ensure the Umami instance you use is trusted; run the provided curl commands in a secure terminal (they require admin username/password and will return a sensitive bearer token); avoid pasting credentials into third-party or shared consoles; deploy the reverse proxy with HTTPS and limit direct exposure of the Umami backend (bind to localhost or restrict by firewall); verify Host header handling and CORS on your proxy so you don't accidentally forward internal hostnames or auth headers; test changes in a staging environment first and confirm pageviews while using an adblocker. If you prefer automation, consider creating limited-scope API credentials rather than using the Umami admin account where possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk973h8cbh07023yr1cdcp77hw181y5pk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments