应用资产查询

This skill appears to be a legitimate Umeng app-listing helper, but there are important mismatches you should address before installing: - Credentials: The SKILL.md expects a umeng-config.json or UMENG_CONFIG_PATH containing your Umeng credentials, but the skill metadata does not declare required env vars or secrets. Do not provide global or highly privileged credentials without review. Inspect the sample umeng-config.json and scripts/assets.py to confirm exactly what keys/tokens are read and stored. - Review the code: Because the package bundles a full OpenAPI SDK (including create/edit API classes), review scripts/assets.py to ensure it only calls read/list/count APIs and does not perform modification or exfiltrate data to unexpected endpoints. - Secret storage: Avoid storing appKey/secret in plaintext in shared locations. Prefer using ephemeral credentials or a secrets manager and limit the permission scope of the credentials used. - Run in isolation: If you want to try it, run the script in a safe environment (isolated container or dedicated account) with only a read-only Umeng account or scoped credentials. If you want, I can: (1) show the contents of scripts/assets.py and the umeng-config.json example so you can verify what is read and sent; (2) list all API classes included to highlight any write-capable methods; or (3) suggest a minimal safe config layout and recommended permission scope for credentials.