Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
自定义事件管理
v1.1.0友盟自定义事件管理入口 skill。当用户需要创建埋点事件定义、批量创建事件、查询事件列表时使用。触发词:创建事件、添加埋点、批量创建事件、事件列表、自定义事件管理。
⭐ 0· 54·0 current·0 all-time
byUmeng+@squall0925
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included Umeng OpenAPI Python SDK and the event_manage.py entrypoint; the SDK files and CLI semantics are plausible for creating/querying Umeng custom events. However, the registry metadata declares no credentials or env vars while the SKILL.md and SDK expect a local umeng-config.json or UMENG_CONFIG_PATH and API credentials — metadata omission is inconsistent with the skill's stated purpose.
Instruction Scope
SKILL.md instructs the agent to run scripts/event_manage.py and to read configuration from a file (default umeng-config.json) or UMENG_CONFIG_PATH; it also supports a --from-file path for batch creation. That means at runtime the script will read files from disk (current dir or arbitrary paths provided by user). The instructions do not declare limits on which paths are safe to read; the presence of an env var and config-file flow is not documented in registry metadata, so the agent may access credentials/configuration unexpectedly.
Install Mechanism
No install spec — instruction-only skill with bundled Python files. There's no network download/install step in the registry metadata. Including an SDK source tree in the bundle is expected for an API client and is proportionate.
Credentials
The skill requests no env vars in metadata, but SKILL.md documents UMENG_CONFIG_PATH and a local umeng-config.json file that will hold API credentials. The skill therefore requires secrets (Umeng appkey/secret or access tokens) at runtime but does not declare them as required/primary credential in metadata — this mismatch is a red flag. The number of environment/credential items is reasonable for the function, but they must be declared and handled transparently.
Persistence & Privilege
always: false and no special persistence or modification of other skills detected. The skill is user-invocable and can be invoked autonomously (platform default), which is normal and not by itself a concern.
What to consider before installing
This package appears to implement an Umeng custom-event CLI and includes the Umeng OpenAPI Python SDK, which is consistent with its description. However: 1) the registry metadata does not declare that the skill needs Umeng credentials or the UMENG_CONFIG_PATH env var even though SKILL.md and the scripts expect a umeng-config.json — ask the publisher or inspect the repo to confirm what credentials will be read and where; 2) inspect scripts/event_manage.py and any umeng-config.json example in the bundle before running: verify it only contacts Umeng endpoints (gateway.open.umeng.com / open.1688.com) and does not send data elsewhere; 3) be cautious when supplying file paths for --from-file or allowing the script to use the current directory, since it will read files from disk; avoid pointing it at directories containing unrelated secrets; 4) run the script in an isolated environment (dedicated account/VM) or with least-privilege credentials first; 5) request the publisher to update the skill metadata to list required env vars/credentials (UMENG_CONFIG_PATH, appkey/secret or access tokens) so you can make an informed consent decision. If you want, I can inspect scripts/event_manage.py and any umeng-config.json sample in the bundle for specific network calls, credential handling, and file-read behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk979624gwnf74b8xbawqhpyxn984x7cp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.