umami-setup
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill does what it says, but it explicitly teaches how to make analytics bypass visitors’ ad blockers, so it needs review before use.
Use this only for websites you control and only after reviewing privacy, consent, and disclosure obligations. Be especially cautious with the adblocker-bypass proxy, and protect Umami admin credentials when running the example commands.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Visitors who use ad blockers or tracking blockers may still be tracked, which can undermine their privacy expectations and create legal or reputational risk for the site operator.
The artifact explicitly instructs users to configure analytics so blocking tools cannot distinguish it from first-party site assets.
Self-hosted Umami analytics with a same-domain proxy to bypass adblockers. The script is served from the same domain as your site, so blockers see it as first-party.
Use transparent analytics practices, disclose tracking clearly, honor consent and opt-out requirements, and avoid deploying blocker-evasion behavior unless it is legally and ethically appropriate.
Running the commands against the wrong host or with wrong values could create incorrect analytics configuration.
The guide includes authenticated API calls that create Umami website records. This is expected for the skill's purpose, but it mutates an analytics account.
curl -s -X POST "https://<UMAMI_HOST>/api/websites" ... -d '{"name":"<SITE_NAME>","domain":"<DOMAIN>"}'Run the commands manually, confirm the Umami host and domain values before use, and keep a record of changes made.
If copied into shell history, logs, or shared terminals, the admin password or token could be exposed.
The skill requires privileged Umami credentials and obtains a bearer token. This is purpose-aligned for creating a website in Umami, and the artifact does not show credential logging or unrelated use.
- Admin credentials for Umami
TOKEN=$(curl -s -X POST "https://<UMAMI_HOST>/api/auth/login" ... -d '{"username":"admin","password":"<PASSWORD>"}'Use a least-privilege Umami account if available, avoid storing passwords in command history, and revoke tokens or rotate credentials if they are exposed.