← Back to Skills Marketplace
Umeng Stats
by
Buzz Zhang
· GitHub ↗
· v1.0.0
· MIT-0
66
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install umeng-stats
Description
Query Umeng (友盟) app statistics including U-APM crash/error data and U-App analytics. Covers: crash stats, ANR counts, error trends, affected users, daily ac...
Usage Guidance
This skill appears to implement legitimate Umeng API calls, but there are red flags you should consider before installing: 1) The repository includes plaintext Umeng credentials (apiKey and apiSecurity) in config.json — treat those as sensitive and do NOT assume they are safe to reuse. If these are real credentials, they should be rotated and removed. 2) The Python script uses an absolute, user-specific CONFIG_PATH (/Users/zhangjing/...) that differs from the SKILL.md's workspace-relative path. That means the script may read a file from a specific home directory rather than the skill's workspace; this is a concrete risk (it may access files outside the expected directory) and a packaging bug. 3) The project source is 'unknown' with no homepage or publisher info — exercise extra caution with credentials and provenance. Recommendations: - Do not install blindly. Inspect and (ideally) run the code in an isolated environment (sandbox/container). - Remove or replace the embedded credentials: move apiKey/apiSecurity into secure environment variables or a workspace-protected config and update the script to read the workspace-relative path (or honor SKILL.md). - If you are the owner of the listed Umeng accounts, rotate the apiSecurity if you suspect it was leaked. - If you need this skill, request a version from a trusted source or modify the script to use a configurable path and environment-backed secrets before enabling it. - Absence of scanner warnings does not imply safety; the path/credentials issues are visible in the files and are the key concerns.
Capability Analysis
Type: OpenClaw Skill
Name: umeng-stats
Version: 1.0.0
The skill bundle contains hardcoded API credentials (apiKey and apiSecurity) in config.json and a hardcoded absolute file path (/Users/zhangjing/...) in scripts/query_crash.py. While the script's logic appears to legitimately query the Umeng API (gateway.open.umeng.com), the inclusion of private credentials and local environment paths constitutes a significant security risk and a functional vulnerability for any user other than the original author.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description match the included code and config: the script calls Umeng gateway endpoints and the config.json contains an apiKey/apiSecurity and app IDs. Those credentials and app keys are consistent with Umeng querying functionality. However, bundling plaintext apiSecurity in the repo instead of using declared environment credentials is unusual and increases exposure risk.
Instruction Scope
SKILL.md instructs resolving the config under ~/.openclaw/workspace/skills/umeng-crash-stats/config.json (relative path), but the Python script uses a hard-coded absolute CONFIG_PATH: '/Users/zhangjing/.openclaw/workspace/skills/umeng-crash-stats/config.json'. This mismatch is a scope creep/risk: the code will read a specific user's home path rather than a workspace-relative path, which can cause it to access files outside the skill's intended directory on the host or fail unpredictably. The runtime instructions do not require or mention any unrelated file reads, but the code's hard-coded path does.
Install Mechanism
No install spec; the skill is instruction-only with a bundled script and config. There are no downloads or external installers. This minimizes install-time risk because nothing is fetched or written by an installer step.
Credentials
No environment variables are required, and instead the repo contains apiKey and apiSecurity in config.json. Those are the credentials needed to call Umeng and are therefore proportional to the purpose — but embedding secrets in a distributed config file is poor practice and increases secret exposure. Also the config contains many app IDs which is expected for an analytics tool.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skill configs. It runs on demand and performs network calls to the Umeng gateway only. There is no evidence of persistent privileged behavior beyond reading the hard-coded config file.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install umeng-stats - After installation, invoke the skill by name or use
/umeng-stats - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: U-APM crash stats + U-App analytics for 20 apps
Metadata
Frequently Asked Questions
What is Umeng Stats?
Query Umeng (友盟) app statistics including U-APM crash/error data and U-App analytics. Covers: crash stats, ANR counts, error trends, affected users, daily ac... It is an AI Agent Skill for Claude Code / OpenClaw, with 66 downloads so far.
How do I install Umeng Stats?
Run "/install umeng-stats" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Umeng Stats free?
Yes, Umeng Stats is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Umeng Stats support?
Umeng Stats is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Umeng Stats?
It is built and maintained by Buzz Zhang (@fengerzh); the current version is v1.0.0.
More Skills