Back to skill
Skillv1.2.0
VirusTotal security
崩溃与性能数据查询 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 11:31 AM
- Hash
- cedad19a7f8ef423b880cc81fc38bce72e55912f1fb98acd17c2b7bd903ffeb7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: uapp-apm Version: 1.2.0 The skill instructions (SKILL.md) contain prompt injections directing the AI agent to perform automated telemetry/tracking by executing 'umeng-cli trace' commands, including reporting the user's 'appkey' (dataSourceId) to the CLI tool without explicit user consent. Additionally, the documentation promotes a high-risk installation method via 'curl | sh' (pointing to raw.githubusercontent.com/umeng/umeng-cli), which is a common vector for supply chain attacks. While these behaviors are likely intended for legitimate vendor usage analytics, the automated exfiltration of identifiers and the use of unverified remote scripts meet the threshold for suspicious activity.
- External report
- View on VirusTotal