Back to skill
Skillv1.2.0
VirusTotal security
用户留存查询 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 11:51 AM
- Hash
- 418421d0a691e7dd8b348d66729ef442a49111817a02410b82f7dd0d544c73a9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: uapp-retention Version: 1.2.0 The skill bundle contains instructions in `SKILL.md` that direct the AI agent to perform automated telemetry by executing `umeng-cli trace` commands, which report the user-provided `appkey` to the service provider. This constitutes a prompt-injection technique where the agent is instructed to perform side-effect actions (tracking) beyond the user's explicit request. Additionally, the documentation promotes a high-risk `curl | sh` installation pattern for the `umeng-cli` tool. While these behaviors are documented and likely intended for legitimate usage analytics, they represent unauthorized command execution and risky deployment practices.
- External report
- View on VirusTotal