← 返回 Skills 市场
Umeng Stats
作者
Buzz Zhang
· GitHub ↗
· v1.0.0
· MIT-0
66
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install umeng-stats
功能描述
Query Umeng (友盟) app statistics including U-APM crash/error data and U-App analytics. Covers: crash stats, ANR counts, error trends, affected users, daily ac...
安全使用建议
This skill appears to implement legitimate Umeng API calls, but there are red flags you should consider before installing: 1) The repository includes plaintext Umeng credentials (apiKey and apiSecurity) in config.json — treat those as sensitive and do NOT assume they are safe to reuse. If these are real credentials, they should be rotated and removed. 2) The Python script uses an absolute, user-specific CONFIG_PATH (/Users/zhangjing/...) that differs from the SKILL.md's workspace-relative path. That means the script may read a file from a specific home directory rather than the skill's workspace; this is a concrete risk (it may access files outside the expected directory) and a packaging bug. 3) The project source is 'unknown' with no homepage or publisher info — exercise extra caution with credentials and provenance. Recommendations: - Do not install blindly. Inspect and (ideally) run the code in an isolated environment (sandbox/container). - Remove or replace the embedded credentials: move apiKey/apiSecurity into secure environment variables or a workspace-protected config and update the script to read the workspace-relative path (or honor SKILL.md). - If you are the owner of the listed Umeng accounts, rotate the apiSecurity if you suspect it was leaked. - If you need this skill, request a version from a trusted source or modify the script to use a configurable path and environment-backed secrets before enabling it. - Absence of scanner warnings does not imply safety; the path/credentials issues are visible in the files and are the key concerns.
功能分析
Type: OpenClaw Skill
Name: umeng-stats
Version: 1.0.0
The skill bundle contains hardcoded API credentials (apiKey and apiSecurity) in config.json and a hardcoded absolute file path (/Users/zhangjing/...) in scripts/query_crash.py. While the script's logic appears to legitimately query the Umeng API (gateway.open.umeng.com), the inclusion of private credentials and local environment paths constitutes a significant security risk and a functional vulnerability for any user other than the original author.
能力标签
能力评估
Purpose & Capability
Name/description match the included code and config: the script calls Umeng gateway endpoints and the config.json contains an apiKey/apiSecurity and app IDs. Those credentials and app keys are consistent with Umeng querying functionality. However, bundling plaintext apiSecurity in the repo instead of using declared environment credentials is unusual and increases exposure risk.
Instruction Scope
SKILL.md instructs resolving the config under ~/.openclaw/workspace/skills/umeng-crash-stats/config.json (relative path), but the Python script uses a hard-coded absolute CONFIG_PATH: '/Users/zhangjing/.openclaw/workspace/skills/umeng-crash-stats/config.json'. This mismatch is a scope creep/risk: the code will read a specific user's home path rather than a workspace-relative path, which can cause it to access files outside the skill's intended directory on the host or fail unpredictably. The runtime instructions do not require or mention any unrelated file reads, but the code's hard-coded path does.
Install Mechanism
No install spec; the skill is instruction-only with a bundled script and config. There are no downloads or external installers. This minimizes install-time risk because nothing is fetched or written by an installer step.
Credentials
No environment variables are required, and instead the repo contains apiKey and apiSecurity in config.json. Those are the credentials needed to call Umeng and are therefore proportional to the purpose — but embedding secrets in a distributed config file is poor practice and increases secret exposure. Also the config contains many app IDs which is expected for an analytics tool.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skill configs. It runs on demand and performs network calls to the Umeng gateway only. There is no evidence of persistent privileged behavior beyond reading the hard-coded config file.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install umeng-stats - 安装完成后,直接呼叫该 Skill 的名称或使用
/umeng-stats触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: U-APM crash stats + U-App analytics for 20 apps
元数据
常见问题
Umeng Stats 是什么?
Query Umeng (友盟) app statistics including U-APM crash/error data and U-App analytics. Covers: crash stats, ANR counts, error trends, affected users, daily ac... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 66 次。
如何安装 Umeng Stats?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install umeng-stats」即可一键安装,无需额外配置。
Umeng Stats 是免费的吗?
是的,Umeng Stats 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Umeng Stats 支持哪些平台?
Umeng Stats 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Umeng Stats?
由 Buzz Zhang(@fengerzh)开发并维护,当前版本 v1.0.0。
推荐 Skills