← Back to Skills Marketplace
squall0925

App基础指标+智能巡检(异动报告)

by Umeng+ · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
84
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install umeng-api
Description
查询友盟 (UMeng) 应用统计数据分析,支持通过 APPKEY 获取应用的基础指标信息如新增用户数、活跃用户数等。当用户提到"友盟"、"umeng"、"APPKEY"、"新增用户"、"活跃用户"或需要查询应用统计数据时使用此技能。
Usage Guidance
This skill is an Umeng (友盟) Python SDK and legitimately needs your Umeng apiKey and apiSecurity. However: (1) the skill's metadata does not declare those required credentials even though SKILL.md and the code expect them — treat this as a red flag and do not supply secrets without inspecting the code; (2) the code will look for a config file in the current directory, your home directory, or the skill directory — check those locations for accidental credential leakage and do not store long-lived secrets in shared repos; (3) review umeng_config.py and umeng_get_outlier_points.py to confirm credentials are only used to call Umeng endpoints (gateway.open.umeng.com / mobile.umeng.com) and not exfiltrated elsewhere; (4) prefer running the code in a restricted/sandboxed environment and set file permissions (chmod 600) on any config file; (5) ask the publisher to update the skill metadata to list required env vars (UMENG_API_KEY, UMENG_API_SECURITY) and clarify automatic loading behavior — if they do and code audit is clean, the mismatches here would be resolved and the skill would be coherent.
Capability Analysis
Type: OpenClaw Skill Name: umeng-api Version: 1.0.0 The skill provides a Python SDK and wrapper for UMeng (友盟) application analytics. It is classified as suspicious due to a security vulnerability in `umeng_get_outlier_points.py`, which transmits the `api_security` key as a plaintext query parameter in a GET request to `mobile.umeng.com`. This practice risks credential exposure via server logs, browser history, or network interception. While the rest of the bundle (including the `aop` SDK) appears to follow standard API signing practices and includes security advice for managing configuration files, the credential leakage vulnerability meets the criteria for a suspicious classification.
Capability Assessment
Purpose & Capability
The name/description match the included code: the repository contains a full Python AOP/SDK for Umeng with requests to Umeng endpoints (e.g., gateway.open.umeng.com and mobile.umeng.com) and helper scripts for querying metrics and outlier reports. That aligns with the stated purpose. However the skill metadata lists no required environment variables or primary credential even though the SDK and SKILL.md clearly require API credentials (apiKey / apiSecurity).
Instruction Scope
SKILL.md clearly instructs the agent to load credentials from a config file (./umeng-config.json, ~/umeng-config.json, or skill-dir) or environment variables (UMENG_API_KEY, UMENG_API_SECURITY) and then call Umeng APIs. Those instructions are narrowly scoped to the stated functionality. A minor inconsistency: the README/UPDATE_LOG claims aop.__init__ was updated to auto-load config, but the provided aop/__init__.py is a lightweight implementation that does not implement an automatic _load_umeng_config function — the outlier helper imports umeng_config.py directly to get credentials. The skill will read files from the current directory, user home, or the skill directory (as documented) — expected for a credential-loading helper, but this behaviour increases the surface where credentials can be read, so users should be aware.
Install Mechanism
No install specification is declared (instruction-only for installation), so nothing will be downloaded or executed automatically by an installer. The repository includes many Python files (SDK + utility scripts) but no external installer or remote-downloads. This lowers install-time risk. The package does contain packaging and validation scripts (scripts/package_skill.py, quick_validate.py) which are not required for runtime but are not themselves harmful.
Credentials
The skill requires Umeng API credentials (apiKey / apiSecurity) and documents environment variables UMENG_API_KEY / UMENG_API_SECURITY and a config file, but the skill metadata declares no required env vars or primary credential. That mismatch is problematic because automated systems (and users) may not be warned that secrets are needed. The code will read credentials from CWD, home directory, or the skill directory — legitimate for this API client, but the skill requesting access to filesystem locations (home, cwd) should have been reflected in the metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configuration. It contains only code to call Umeng APIs and helper utilities; there is no evidence it attempts to persist itself beyond its directory or to access other skills' credentials. Autonomous invocation is allowed by default (disable-model-invocation: false) which is normal; this combined with the credential handling is why you should carefully control which agents get these credentials.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install umeng-api
  3. After installation, invoke the skill by name or use /umeng-api
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
umeng-api 1.0.0 – 初始版本 - 提供友盟 (UMeng) 应用数据查询基础能力,包括新增用户数、活跃用户数、异常点监测等。 - 内置友盟开放平台 API 的完整 Python SDK 封装,无需额外安装依赖。 - 支持通过 umeng-config.json 配置文件、环境变量或代码参数三种方式优先加载 API 认证信息。 - 示例代码详解了基础用法、错误处理、配置管理和安全建议。 - 支持多种友盟原生数据接口,包括启动次数、留存率、渠道数据等。
Metadata
Slug umeng-api
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is App基础指标+智能巡检(异动报告)?

查询友盟 (UMeng) 应用统计数据分析,支持通过 APPKEY 获取应用的基础指标信息如新增用户数、活跃用户数等。当用户提到"友盟"、"umeng"、"APPKEY"、"新增用户"、"活跃用户"或需要查询应用统计数据时使用此技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 84 downloads so far.

How do I install App基础指标+智能巡检(异动报告)?

Run "/install umeng-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is App基础指标+智能巡检(异动报告) free?

Yes, App基础指标+智能巡检(异动报告) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does App基础指标+智能巡检(异动报告) support?

App基础指标+智能巡检(异动报告) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created App基础指标+智能巡检(异动报告)?

It is built and maintained by Umeng+ (@squall0925); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments