Skill Trust Decision
uplo-defense
This defense knowledge management skill presents significant supply chain and data exfiltration risks through unpinned npm package execution and external transmission of potentially sensitive defense information.
Most direct threat evidence
01
User installs skill from clawhub/registry supply · README.md
02
Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin supply · skill.json
03
Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package) compromise · npm registry
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
10 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill from clawhub/registry
supply · README.md:35
02
Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin
supply · skill.json:15
03
Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package)
compromise · npm registry
04
Malicious MCP server receives API_KEY and defense data, exfiltrates to attacker-controlled endpoint
Impact · runtime
What drove the risk score up
Unpinned npm package via npx -y +35
@agentdocs1/mcp-server fetched without version pin - package could be replaced with malicious code at any time
Defense data sent to external third-party service +25
ITAR-controlled data, personnel records, security clearances routed through external UPLO service
API key passed to external service +12
User's API_KEY environment variable exposed to third-party MCP server
Most important evidence
High Supply Chain
Unpinned npm package execution via npx -y
The skill executes @agentdocs1/mcp-server using 'npx -y' without any version pinning. This means any version of this package could be executed, including malicious versions that could be published at any time. The package name 'agentdocs1' also appears suspicious - it's not a clearly established vendor and could be a typosquatting target.
skill.json:15 Pin to specific version: npx @agentdocs1/[email protected] or better yet, use a local installation with verified hash
High Data Exfil
Defense-sensitive data routed to external third-party service
The skill is designed to query ITAR-controlled technical data, personnel security clearances, mission planning documents, and logistics records. This sensitive defense information is transmitted to an external UPLO service operated by a third party. This raises significant CUI/SPII/FOIA concerns and potential ITAR/EAR violations.
SKILL.md:1 Never route controlled defense data through external third-party services. Use local-only deployment.
Medium Credential Theft
API key exposed to external MCP server process
The user's API_KEY is passed directly as an environment variable to the externally-fetched npm package. This creates an opportunity for credential harvesting by a compromised or malicious package.
skill.json:21 Use credential injection mechanisms that don't expose secrets as environment variables to third-party processes
Low Doc Mismatch
Identity patch file adds undeclared behavioral directives
The identity-patch.md file contains behavioral instructions ('always query UPLO first', 'verify clearance and need-to-know') that are not declared in the main SKILL.md capabilities list. While not malicious, this hidden instruction layer could be used to subtly manipulate AI behavior.
identity-patch.md:1 Declare all behavioral instructions in the main SKILL.md file for transparency
Declared capability vs actual capability
Network Pass
Declared READ
→ Inferred READ
skill.json:15-23 - MCP server configured with HTTP transport to external URL Environment Pass
Declared READ
→ Inferred READ
skill.json:20-22 - API_KEY passed as env var to external service Shell Block
Declared NONE
→ Inferred WRITE
skill.json:14 - npx -y executes arbitrary npm package code Suspicious artifacts and egress
Medium External URL
https://img.shields.io/badge/ClawHub-uplo-defense-blue README.md:5
Medium External URL
https://clawhub.com/skills/uplo-defense README.md:5
Medium External URL
https://img.shields.io/badge/MCP-21_tools-green README.md:6
Medium External URL
https://img.shields.io/badge/schemas-5-orange README.md:7
Medium External URL
https://uplo.ai/schemas README.md:7
Medium External URL
https://your-instance.uplo.ai README.md:24
Medium External URL
https://clawhub.com/skills/uplo-knowledge-management README.md:60
Medium External URL
https://clawhub.com/skills/uplo-accounting README.md:61
Medium External URL
https://clawhub.com/skills/uplo-agriculture README.md:62
Medium External URL
https://app.uplo.ai skill.json:17
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @agentdocs1/mcp-server | latest (unpinned) | npm | No | CRITICAL: No version specified, fetched via npx -y |
| npx | any | npm | No | Used to execute unpinned external package |
File composition
4 files · 235 lines
Markdown 3 files · 186 linesJSON 1 files · 49 lines
Files of concern · 4
SKILL.md Defense-sensitive data routed to external third-party service
README.md https://img.shields.io/badge/ClawHub-uplo-defense-blue · https://clawhub.com/skills/uplo-defense · https://img.shields.io/badge/MCP-21_tools-green · https://img.shields.io/badge/schemas-5-orange · https://uplo.ai/schemas · https://your-instance.uplo.ai · https://clawhub.com/skills/uplo-knowledge-management · https://clawhub.com/skills/uplo-accounting · https://clawhub.com/skills/uplo-agriculture
identity-patch.md Identity patch file adds undeclared behavioral directives
skill.json Unpinned npm package execution via npx -y · API key exposed to external MCP server process · https://app.uplo.ai
Security positives
No local script execution - all functionality is through documented MCP tools
No direct filesystem access declared or required
No credential harvesting or exfiltration observed in the skill files themselves
Capabilities are relatively well-documented in SKILL.md