Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
用户留存查询
v1.1.0友盟 App 留存率查询与对比分析 skill。当用户询问次日留存、第7日留存、版本/渠道维度留存对比时使用。触发词:留存、次日留存、7日留存30日留存、留存率、留存趋势、版本留存、渠道留存。
⭐ 0· 61·0 current·0 all-time
byUmeng+@squall0925
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Umeng app retention queries) align with the bundled Python SDK (aop / Umeng OpenAPI) and scripts/retention.py: the package contains many Umeng API request classes and a retention script that maps to the described functionality.
Instruction Scope
SKILL.md points the entry to scripts/retention.py and documents CLI usage and a config-file/environment variable (UMENG_CONFIG_PATH) as configuration sources. The runtime instructions therefore require the skill to read local files and an env var; those are not declared in the metadata as required. The instructions do not appear to instruct reading unrelated system paths, but you should inspect scripts/retention.py to confirm exactly what files/paths it reads and what it transmits.
Install Mechanism
There is no install spec (no external downloads or package installs), which reduces supply-chain risk. However, the skill bundle includes ~73 Python source files (Umeng SDK + scripts). Bundled code will run when invoked, so the presence of many code files increases the surface to review even though there are no external installers.
Credentials
The SKILL.md documents configuration via a JSON file (--config / path or UMENG_CONFIG_PATH or current dir umeng-config.json) which implies the script expects Umeng credentials (appkey/secret or access token) in that config. The skill metadata lists no required env vars or primary credential — an omission. The included SDK comments also note secrets are stored in plain text in memory. Requesting/storing API credentials is reasonable for this purpose, but the lack of explicit declaration is a mismatch that users should be aware of.
Persistence & Privilege
The skill is not always-enabled and uses normal user-invocation/autonomous invocation defaults. It does not request system-wide persistence flags or claim to modify other skills. No 'always: true' or other elevated privileges are present.
What to consider before installing
This package appears to implement a legitimate Umeng retention query tool, but it bundles executable Python code and expects an Umeng config (appkey/secret or token) via a JSON file or UMENG_CONFIG_PATH. Before installing or running:
- Inspect scripts/retention.py to see exactly how it loads the config and where it sends data (expected: gateway.open.umeng.com). Confirm it only calls Umeng endpoints.
- Verify the config file format and do not put high-privilege credentials in shared locations; prefer using a least-privileged access token.
- Note the skill metadata did not declare required credentials — treat the config file as required and avoid supplying credentials unless you trust the source.
- If you cannot review the retention.py file yourself, run the skill in a restricted or isolated environment and monitor network traffic to ensure it only contacts Umeng endpoints.
- Consider asking the publisher for a homepage/source URL or signing information; absence of provenance increases risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97c8cjyj3qvhcqt8r06gp2zah84wxhw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.