← Back to Skills Marketplace

推送消息数据助手（友盟U-Push）

Name: 推送消息数据助手（友盟U-Push）
Author: squall0925

by Umeng+ · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

147

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install umeng-push-helper

Description

友盟推送后台管理助手（只读查询）。帮助获取应用列表、查询推送数据等。**使用前需用户提供 Cookie**：请访问 https://upush.umeng.com 登录后，在浏览器开发者工具的 Network 标签中复制 Cookie 并提供给系统。Use when working with Umeng push...

Usage Guidance

This skill implements read-only queries for Umeng Push and expects you to provide your browser session cookie (ctoken and login id). Before installing or running it: 1) Do NOT paste full cookies into any public chat — that shares a live session token. Prefer storing cookies only locally using the provided scripts and run them locally, not in a hosted agent environment. 2) Inspect the bundled Python scripts (especially auto_get_cookie.py, browser_cookie.py, and any network code) yourself — auto_get_cookie can access your browser cookies beyond just Umeng's session. 3) Note the inconsistent file usage (cookie.json vs cookie.txt and different paths); verify where cookies will be saved and ensure file permissions and storage location are acceptable. 4) If possible, create a low-privilege/test account or use ephemeral session cookies instead of your main account. 5) Avoid running the automatic cookie retrieval unless you trust the code and run it in an isolated environment. 6) The skill includes a 'security_interceptor' blocking write APIs (sendMsg, updateApp, etc.), which is good, but that does not eliminate the cookie-exposure risk. If you are not comfortable reviewing code, do not provide session cookies to this skill.

Capability Analysis

Type: OpenClaw Skill Name: umeng-push-helper Version: 1.0.0 The bundle provides tools for Umeng Push management but contains high-risk vulnerabilities and documentation inconsistencies. Specifically, `api_request.py` includes a `custom` command that allows the agent to make HTTP requests to any arbitrary URL while automatically attaching the user's sensitive Umeng session cookies, as the `make_request` function lacks domain validation. Additionally, while `SKILL.md` claims automatic cookie extraction is no longer supported, the bundle includes `auto_get_cookie.py` and documentation (`CHANGELOG_COOKIE_UPDATE.md`) promoting it as the recommended method. These factors, combined with the broad capability to query sensitive account data, create a significant surface for credential exfiltration if the agent is targeted by prompt injection.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description (read-only Umeng push queries) align with the included scripts that call upush.umeng.com read APIs. No unrelated cloud credentials or unrelated binaries are requested. However, there is functionality around obtaining and storing browser cookies (auto_get_cookie, browser_cookie, manage_cookie) which is directly related to authentication but increases sensitivity; this capability is expected for a cookie-based integration but should be treated as sensitive.

⚠ Instruction Scope

Runtime instructions explicitly ask the user to provide their full browser Cookie (ctoken and login id) via the conversation or to run scripts that read browser cookies. The SKILL.md and README contain conflicting guidance: SKILL.md claims automatic browser-cookie retrieval is no longer supported, while README still recommends and documents scripts for automatic retrieval. Asking users to paste full cookies into chat or providing an automatic browser cookie reader broadens scope to highly sensitive data (session cookies) and increases risk of accidental exposure or exfiltration. The skill includes a security_interceptor to block write APIs, but that does not mitigate the risk of cookies leaking via logs, conversation history, or other code paths.

✓ Install Mechanism

No install spec is present (instruction-only with bundled scripts). That reduces supply-chain risk compared to remote downloads. All code is included in the bundle (Python scripts). There are no external download URLs in the provided manifest. Still, running included scripts will write files and perform network calls, so users should review code before executing.

ℹ Credentials

The skill requests no environment variables or external credentials in metadata, instead relying on session cookies supplied by the user — which is expected for a web-session-based integration. This is proportionate to the stated purpose, but cookies are very sensitive. The skill writes cookies to local files (cookie.json / cookie.txt) and some scripts reference ~/.qoderwork/... while others use script-relative storage, showing inconsistent paths. The skill sets file perms to 600 in at least one script, which is good, but the mix of filenames and locations increases the chance of confusion or accidental exposure.

⚠ Persistence & Privilege

The skill persists user session cookies to disk (~/.qoderwork/skills/umeng-push-helper/cookie.txt or cookie.json) and includes an 'auto_get_cookie' utility that appears to read browser cookies. The skill is not always:true, but it can be invoked autonomously. Combined with the cookie-handling behavior and the ability to save cookies, this increases the blast radius if the skill is allowed to run without human oversight. The presence of a security_interceptor that blocks write APIs is a mitigating control for API misuse, but it doesn't prevent cookie exfiltration via other means (logs, network calls to other hosts, or conversational transcripts).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install umeng-push-helper
After installation, invoke the skill by name or use /umeng-push-helper
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Umeng Push Helper 1.0.0 - Initial Release - Provides read-only tools for querying Umeng Push backend data, including app lists, push summaries, weekly reports, push trace analysis, switch statistics, and push closure attribution. - Strictly blocks all write or modification APIs for security; only read/query APIs are enabled. - Requires users to supply their own Umeng Cookie for all operations, with detailed step-by-step guidance for obtaining and saving the Cookie. - Offers command-line scripts for Cookie validation, management, and for fetching core push data. - Supports paginated queries and detailed field explanations for all listed functionalities.

Metadata

Slug umeng-push-helper

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is 推送消息数据助手（友盟U-Push）?

友盟推送后台管理助手（只读查询）。帮助获取应用列表、查询推送数据等。**使用前需用户提供 Cookie**：请访问 https://upush.umeng.com 登录后，在浏览器开发者工具的 Network 标签中复制 Cookie 并提供给系统。Use when working with Umeng push... It is an AI Agent Skill for Claude Code / OpenClaw, with 147 downloads so far.

How do I install 推送消息数据助手（友盟U-Push）?

Run "/install umeng-push-helper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 推送消息数据助手（友盟U-Push） free?

Yes, 推送消息数据助手（友盟U-Push） is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 推送消息数据助手（友盟U-Push） support?

推送消息数据助手（友盟U-Push） is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 推送消息数据助手（友盟U-Push）?

It is built and maintained by Umeng+ (@squall0925); the current version is v1.0.0.

More Skills