友盟 U-APP 统计 SDK 集成

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed Umeng analytics helper that uses user-provided Umeng credentials to query app statistics, with no artifact-backed evidence of hidden persistence, exfiltration, or destructive behavior.

Install this if you intend to work with Umeng App analytics and are comfortable exposing Umeng API credentials to the local agent environment. For generic analytics or SDK-selection tasks, confirm that you specifically want Umeng guidance before letting the skill drive changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list includes broad analytics terms such as '应用埋点' and '数据分析 SDK', which can cause this skill to activate for generic analytics requests unrelated to Umeng. In an agent environment, overbroad activation can steer users into applying the wrong SDK integration guidance, causing unintended code changes, privacy/compliance mistakes, or supply-chain choices the user did not ask for.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal