← 返回 Skills 市场
124
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install uapp-assets
功能描述
友盟应用资产查询技能,支持通过 umeng-cli call 调用友盟 OpenAPI(gateway.open.umeng.com)的 3 个只读资产接口,覆盖 App 总数、App 列表、小程序列表及小程序总数查询(跨 com.umeng.uapp 与 com.umeng.umini 两个命名空间)。当用户需...
安全使用建议
This skill appears to do what it says (query account-level app and mini-program lists via umeng-cli), but it includes instructions that may send telemetry and app identifiers to Umeng automatically. Before installing or allowing the agent to run it, consider: 1) refuse or review any 'umeng-cli trace' calls and require explicit user consent before sending telemetry or any appkey values; 2) prefer installing umeng-cli yourself (via npm) rather than allowing the agent to run curl | sh; 3) verify the umeng-cli source code / install script if you care about what gets executed or sent; 4) be aware that umeng-cli will use locally cached AK/SK for API calls—avoid using shared or high-privilege credentials if you’re unsure. If you want to proceed, require the agent to show the exact 'trace' payload and ask your approval before executing it.
功能分析
Type: OpenClaw Skill
Name: uapp-assets
Version: 1.2.0
The skill bundle is a legitimate integration for the Umeng (友盟) application analytics platform, allowing an AI agent to query application and mini-program assets via the `umeng-cli` tool. While the `SKILL.md` file includes instructions for the agent to perform telemetry ('埋点上报') by executing `umeng-cli trace` with usage data and public application identifiers (appkeys), these actions are transparently documented and do not involve sensitive secrets or harmful exfiltration. The installation methods (npm and a GitHub-hosted shell script) and authentication procedures are standard for developer tools, and the instructions are clearly aligned with the stated purpose of asset discovery and management.
能力标签
能力评估
Purpose & Capability
Name/description align with the instructions: the skill uses umeng-cli to call three read-only Umeng OpenAPI endpoints to list/count apps and mini-programs. Declared dependency on umeng-cli and the described endpoints are coherent with the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to run a telemetry command immediately after reading the document: umeng-cli trace '{"skill_name":"umeng-cli-uapp-assets"}'. It also tells the agent to send an additional trace containing an appkey if the user provides one. These trace calls cause network transmission of usage data (and possibly appkey values) to Umeng independent of the user's explicit query. The skill also advises running umeng-cli login in a background mode and provides commands that would be executed by the agent — these are within the tool's domain but the unconditional telemetry call is outside the pure 'list assets' requirement and may leak context or secrets.
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only), but the README suggests installing via 'npm install -g @umengfe/umeng-cli' or via a curl|sh installer hosted on raw.githubusercontent.com. NPM install is standard; curl | sh (pipe to shell) is higher-risk even when pointing at GitHub raw content — it executes remote script on the host and should be treated cautiously.
Credentials
The skill declares no required env vars, which is reasonable, but relies on umeng-cli's local cached AK/SK for auth. The instructions ask the agent to call 'trace' and to include an appkey when the user provides one — this would transmit an app identifier and confirm usage to Umeng. That means the skill's runtime behavior can exfiltrate account-associated identifiers (appkeys) or reveal usage patterns even though no environment credentials are declared. The SKILL.md asserts AK/SK are stored/encrypted by umeng-cli, but the skill does not describe or limit what telemetry is sent or where.
Persistence & Privilege
The skill is not always:true and does not request system-wide config changes. However, it instructs the agent to perform outbound telemetry immediately when the document is read; coupled with the platform's default ability for autonomous invocation, that telemetry could occur without an explicit user command. This is not a direct privilege escalation but raises privacy/behavior concerns.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install uapp-assets - 安装完成后,直接呼叫该 Skill 的名称或使用
/uapp-assets触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
**重大更新:由内置脚本切换为 umeng-cli 官方工具,精简结构并标准化接口。**
- 移除了全部本地实现及 OpenAPI Python SDK 相关文件,依赖官方 umeng-cli 工具进行操作。
- Skill 名称由“uapp-assets”变更为“umeng-cli-uapp-assets”,完全重新编写文档和用法说明。
- 只支持 umeng-cli call 调用友盟 OpenAPI 资产只读接口(App 总数、App 列表、小程序列表)。
- 更新接口说明,区分 App 与小程序命名空间和分页参数。
- 补充了 umeng-cli 的安装、登录、埋点打点等官方推荐操作流程。
- 移除了本地 Python 脚本文件及独立 SDK 部署说明,统一依赖 umeng-cli。
v1.1.0
uapp-assets 1.1.0
- 增加 skill 描述字段,明确触发词和使用场景。
- 补充详细的边界条件与异常处理建议(如分页提示、无结果过滤处理)。
- 文档结构优化,原 summary 字段更名为 description,并加粗关键信息。
- 其他内容保持不变,主要提升易用性和容错说明。
v1.0.0
uapp-assets 1.0.0 初始版本发布。
- 新增友盟应用资产查询功能,支持获取应用数量、App 列表及小程序列表
- 支持多种 CLI 命令,以及平台与分页过滤
- 提供结构化输出(表格与 JSON)与多种配置方式
- 支持独立部署,内置友盟 OpenAPI Python SDK
- 清晰区分适用与非适用场景
元数据
常见问题
应用资产查询 是什么?
友盟应用资产查询技能,支持通过 umeng-cli call 调用友盟 OpenAPI(gateway.open.umeng.com)的 3 个只读资产接口,覆盖 App 总数、App 列表、小程序列表及小程序总数查询(跨 com.umeng.uapp 与 com.umeng.umini 两个命名空间)。当用户需... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 124 次。
如何安装 应用资产查询?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install uapp-assets」即可一键安装,无需额外配置。
应用资产查询 是免费的吗?
是的,应用资产查询 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
应用资产查询 支持哪些平台?
应用资产查询 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 应用资产查询?
由 Umeng+(@squall0925)开发并维护,当前版本 v1.2.0。
推荐 Skills