← 返回 Skills 市场
squall0925

推送消息数据助手(友盟U-Push)

作者 Umeng+ · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
147
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install umeng-push-helper
功能描述
友盟推送后台管理助手(只读查询)。帮助获取应用列表、查询推送数据等。**使用前需用户提供 Cookie**:请访问 https://upush.umeng.com 登录后,在浏览器开发者工具的 Network 标签中复制 Cookie 并提供给系统。Use when working with Umeng push...
安全使用建议
This skill implements read-only queries for Umeng Push and expects you to provide your browser session cookie (ctoken and login id). Before installing or running it: 1) Do NOT paste full cookies into any public chat — that shares a live session token. Prefer storing cookies only locally using the provided scripts and run them locally, not in a hosted agent environment. 2) Inspect the bundled Python scripts (especially auto_get_cookie.py, browser_cookie.py, and any network code) yourself — auto_get_cookie can access your browser cookies beyond just Umeng's session. 3) Note the inconsistent file usage (cookie.json vs cookie.txt and different paths); verify where cookies will be saved and ensure file permissions and storage location are acceptable. 4) If possible, create a low-privilege/test account or use ephemeral session cookies instead of your main account. 5) Avoid running the automatic cookie retrieval unless you trust the code and run it in an isolated environment. 6) The skill includes a 'security_interceptor' blocking write APIs (sendMsg, updateApp, etc.), which is good, but that does not eliminate the cookie-exposure risk. If you are not comfortable reviewing code, do not provide session cookies to this skill.
功能分析
Type: OpenClaw Skill Name: umeng-push-helper Version: 1.0.0 The bundle provides tools for Umeng Push management but contains high-risk vulnerabilities and documentation inconsistencies. Specifically, `api_request.py` includes a `custom` command that allows the agent to make HTTP requests to any arbitrary URL while automatically attaching the user's sensitive Umeng session cookies, as the `make_request` function lacks domain validation. Additionally, while `SKILL.md` claims automatic cookie extraction is no longer supported, the bundle includes `auto_get_cookie.py` and documentation (`CHANGELOG_COOKIE_UPDATE.md`) promoting it as the recommended method. These factors, combined with the broad capability to query sensitive account data, create a significant surface for credential exfiltration if the agent is targeted by prompt injection.
能力评估
Purpose & Capability
The skill's name/description (read-only Umeng push queries) align with the included scripts that call upush.umeng.com read APIs. No unrelated cloud credentials or unrelated binaries are requested. However, there is functionality around obtaining and storing browser cookies (auto_get_cookie, browser_cookie, manage_cookie) which is directly related to authentication but increases sensitivity; this capability is expected for a cookie-based integration but should be treated as sensitive.
Instruction Scope
Runtime instructions explicitly ask the user to provide their full browser Cookie (ctoken and login id) via the conversation or to run scripts that read browser cookies. The SKILL.md and README contain conflicting guidance: SKILL.md claims automatic browser-cookie retrieval is no longer supported, while README still recommends and documents scripts for automatic retrieval. Asking users to paste full cookies into chat or providing an automatic browser cookie reader broadens scope to highly sensitive data (session cookies) and increases risk of accidental exposure or exfiltration. The skill includes a security_interceptor to block write APIs, but that does not mitigate the risk of cookies leaking via logs, conversation history, or other code paths.
Install Mechanism
No install spec is present (instruction-only with bundled scripts). That reduces supply-chain risk compared to remote downloads. All code is included in the bundle (Python scripts). There are no external download URLs in the provided manifest. Still, running included scripts will write files and perform network calls, so users should review code before executing.
Credentials
The skill requests no environment variables or external credentials in metadata, instead relying on session cookies supplied by the user — which is expected for a web-session-based integration. This is proportionate to the stated purpose, but cookies are very sensitive. The skill writes cookies to local files (cookie.json / cookie.txt) and some scripts reference ~/.qoderwork/... while others use script-relative storage, showing inconsistent paths. The skill sets file perms to 600 in at least one script, which is good, but the mix of filenames and locations increases the chance of confusion or accidental exposure.
Persistence & Privilege
The skill persists user session cookies to disk (~/.qoderwork/skills/umeng-push-helper/cookie.txt or cookie.json) and includes an 'auto_get_cookie' utility that appears to read browser cookies. The skill is not always:true, but it can be invoked autonomously. Combined with the cookie-handling behavior and the ability to save cookies, this increases the blast radius if the skill is allowed to run without human oversight. The presence of a security_interceptor that blocks write APIs is a mitigating control for API misuse, but it doesn't prevent cookie exfiltration via other means (logs, network calls to other hosts, or conversational transcripts).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install umeng-push-helper
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /umeng-push-helper 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Umeng Push Helper 1.0.0 - Initial Release - Provides read-only tools for querying Umeng Push backend data, including app lists, push summaries, weekly reports, push trace analysis, switch statistics, and push closure attribution. - Strictly blocks all write or modification APIs for security; only read/query APIs are enabled. - Requires users to supply their own Umeng Cookie for all operations, with detailed step-by-step guidance for obtaining and saving the Cookie. - Offers command-line scripts for Cookie validation, management, and for fetching core push data. - Supports paginated queries and detailed field explanations for all listed functionalities.
元数据
Slug umeng-push-helper
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

推送消息数据助手(友盟U-Push) 是什么?

友盟推送后台管理助手(只读查询)。帮助获取应用列表、查询推送数据等。**使用前需用户提供 Cookie**:请访问 https://upush.umeng.com 登录后,在浏览器开发者工具的 Network 标签中复制 Cookie 并提供给系统。Use when working with Umeng push... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 147 次。

如何安装 推送消息数据助手(友盟U-Push)?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install umeng-push-helper」即可一键安装,无需额外配置。

推送消息数据助手(友盟U-Push) 是免费的吗?

是的,推送消息数据助手(友盟U-Push) 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

推送消息数据助手(友盟U-Push) 支持哪些平台?

推送消息数据助手(友盟U-Push) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 推送消息数据助手(友盟U-Push)?

由 Umeng+(@squall0925)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论