Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
自定义事件数据查询
v1.1.0友盟 App 自定义事件查询入口 skill。当用户想查看埋点事件的触发次数、独立用户数、参数分布,或确认某个事件是否存在时使用。触发词:自定义事件、埋点查询、事件统计、事件触发次数、独立用户、事件列表、事件参数。
⭐ 0· 64·0 current·0 all-time
byUmeng+@squall0925
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: the package contains an Umeng OpenAPI Python SDK and a scripts/event.py entrypoint that implements event listing/querying — so capability aligns with purpose. However, the skill metadata declares no required credentials while the code/README and SKILL.md clearly expect an Umeng config (appkey/secret) to be present, which is a meaningful omission.
Instruction Scope
SKILL.md describes only querying Umeng event data, listing events, checking existence, and reading a JSON config (via --config, UMENG_CONFIG_PATH or local umeng-config.json). Those instructions stay within the stated purpose and explicitly send queries to Umeng APIs. There are no obvious instructions in SKILL.md to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
There is no install spec (instruction-only skill with bundled code). That is lower risk than download/install-from-URL flows. The bundle includes a full Umeng SDK and a script; while large, these files are expected for this integration.
Credentials
SKILL.md requires a configuration file or UMENG_CONFIG_PATH containing Umeng credentials (appkey/secret), but the registry metadata lists no required environment variables or primary credential. The included SDK code (aop/__init__.py and test README) documents storing an appkey/secret and sending requests to gateway.open.umeng.com; aop.set_default_appinfo stores secrets in memory in plain text per comments. The skill should have declared expected credential environment variables or secrets in metadata — omission increases risk (unexpected secret usage).
Persistence & Privilege
Skill is not always-enabled and does not request special system config paths in the registry metadata. It will run its bundled script when invoked; nothing in the manifest indicates it will modify other skills or request permanent elevated presence.
What to consider before installing
This skill appears to be an Umeng (友盟) event query tool and includes the Umeng OpenAPI Python SDK plus scripts/event.py. Before installing: (1) expect to supply Umeng credentials (appkey/secret) via umeng-config.json or UMENG_CONFIG_PATH — do not provide unrelated secrets; (2) review scripts/event.py to confirm it only calls Umeng endpoints (gateway.open.umeng.com) and does not contact other remote servers or read unrelated local files; (3) note the SDK comments that secrets are stored in memory in plain text — consider running the skill in an isolated environment or restricting where the config file is stored; (4) ask the publisher to update registry metadata to declare required credentials clearly (so you can audit permission requests). If you can share the full scripts/event.py content (the runtime entrypoint), I can re-evaluate and raise the confidence level or surface any suspicious code patterns found there.Like a lobster shell, security has layers — review code before you run it.
latestvk972trf5kt9vrje4cfq4z7qayd84w3nw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.