Analytics & Tracking Setup — 包裹追踪服务
v0.1.0和 用户 behavior 使用 Segment.
0· 151·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe package presents itself as Segment-based event tracking but its files contain only UTM/pixel templates and a simple UTM CLI; there is a mismatch between the claimed capability and the actual code/instructions.
评估建议
This package looks like a collection of tracking documentation, UTM link generator, and pixel snippet templates—not an autonomous Segment event sender. If you expected a skill that actually sends events to Segment, do NOT hand over any Segment write keys yet: the code to use them is not present. Actions you can take before installing or using it:
- If you only need a UTM builder or pixel snippets, it's safe to run the included utm_builder.py locally (Python 3.8+, standard library only).
- If you...详细分析 ▾
⚠ 用途与能力
The skill is titled and described as "Track events and user behavior using Segment," and SKILL.md shows CLI commands like `analytics-tracking track`/`identify`/`group`. However, the repository contains only a UTM builder, pixel config JSON files and a tracking plan—no Segment SDK calls, no network code for sending events, and no environment variables or primary credential for a Segment write key. The stated purpose (automated Segment event tracking) is not implemented by the included artifacts.
ℹ 指令范围
Runtime instructions mostly show examples for building UTM links and copy-paste pixel snippets. They also demonstrate a CLI named `analytics-tracking` (track/identify/group) that is not present in the files. SKILL.md does not instruct the agent to read system files or exfiltrate secrets. The inconsistency is about missing/opaque runtime behavior rather than malicious actions in the instructions themselves.
✓ 安装机制
There is no install specification (instruction-only plus a small Python script). No external downloads, package manager installs, or archive extraction are present. The only code uses the Python standard library (urllib) and is low-risk to install/run locally.
⚠ 凭证需求
No environment variables or credentials are requested. That is appropriate for a UTM builder and static templates—but inconsistent with the claim to "use Segment" or to perform event tracking. A legitimate Segment-integrating skill would request a SEGMENT_WRITE_KEY (or similar) and include code to use it; those are missing. This mismatch could lead to confusion or to users supplying credentials to a different/unknown implementation later.
✓ 持久化与权限
The skill does not request persistent presence (always is false) and contains no install behavior that modifies other skills or system-wide configuration. There is no autonomous elevation of privilege indicated.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install analytics-tracking-dv
镜像加速npx clawhub@latest install analytics-tracking-dv --registry https://cn.longxiaskill.com 镜像可用