中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 72/100
Last scan:20 hr ago Rescan
72 /100
uplo-defense
AI-powered defense knowledge management for ITAR-controlled information, personnel data, and mission documentation
This defense knowledge management skill presents significant supply chain and data exfiltration risks through unpinned npm package execution and external transmission of potentially sensitive defense information.
Skill Nameuplo-defense
Duration54.5s
Enginepi
Do not install this skill
Avoid using this skill in production defense environments. The use of npx -y without version pinning creates a critical supply chain vulnerability. Consider alternatives that run entirely local or use version-pinned, audited dependencies.

Attack Chain 4 steps

Escalation User installs skill from clawhub/registry
README.md:35
Escalation Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin
skill.json:15
Escalation Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package)
npm registry
Impact Malicious MCP server receives API_KEY and defense data, exfiltrates to attacker-controlled endpoint
runtime

Findings 4 items

Severity Finding Location
High
Unpinned npm package execution via npx -y Supply Chain
The skill executes @agentdocs1/mcp-server using 'npx -y' without any version pinning. This means any version of this package could be executed, including malicious versions that could be published at any time. The package name 'agentdocs1' also appears suspicious - it's not a clearly established vendor and could be a typosquatting target.
"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]
→ Pin to specific version: npx @agentdocs1/[email protected] or better yet, use a local installation with verified hash
 skill.json:15
High
Defense-sensitive data routed to external third-party service Data Exfil
The skill is designed to query ITAR-controlled technical data, personnel security clearances, mission planning documents, and logistics records. This sensitive defense information is transmitted to an external UPLO service operated by a third party. This raises significant CUI/SPII/FOIA concerns and potential ITAR/EAR violations.
Search mission documentation, logistics records, personnel data, and ITAR-controlled information
→ Never route controlled defense data through external third-party services. Use local-only deployment.
 SKILL.md:1
Medium
API key exposed to external MCP server process Credential Theft
The user's API_KEY is passed directly as an environment variable to the externally-fetched npm package. This creates an opportunity for credential harvesting by a compromised or malicious package.
"API_KEY": "${config.api_key}"
→ Use credential injection mechanisms that don't expose secrets as environment variables to third-party processes
 skill.json:21
Low
Identity patch file adds undeclared behavioral directives Doc Mismatch
The identity-patch.md file contains behavioral instructions ('always query UPLO first', 'verify clearance and need-to-know') that are not declared in the main SKILL.md capabilities list. While not malicious, this hidden instruction layer could be used to subtly manipulate AI behavior.
always query UPLO first to provide answers grounded in your organization's actual defense operations
→ Declare all behavioral instructions in the main SKILL.md file for transparency
 identity-patch.md:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned skill.json:15-23 - MCP server configured with HTTP transport to external URL
Environment READ READ ✓ Aligned skill.json:20-22 - API_KEY passed as env var to external service
Shell NONE WRITE ✗ Violation skill.json:14 - npx -y executes arbitrary npm package code
10 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-uplo-defense-blue
README.md:5
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/uplo-defense
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/MCP-21_tools-green
README.md:6
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/schemas-5-orange
README.md:7
🔗
Medium External URL 外部 URL
https://uplo.ai/schemas
README.md:7
🔗
Medium External URL 外部 URL
https://your-instance.uplo.ai
README.md:24
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/uplo-knowledge-management
README.md:60
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/uplo-accounting
README.md:61
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/uplo-agriculture
README.md:62
🔗
Medium External URL 外部 URL
https://app.uplo.ai
skill.json:17

File Tree

4 files · 12.0 KB · 235 lines
Markdown 3f · 186L JSON 1f · 49L
├─ 📝 identity-patch.md Markdown 9L · 1.8 KB
├─ 📝 README.md Markdown 70L · 2.7 KB
├─ 📋 skill.json JSON 49L · 1.2 KB
└─ 📝 SKILL.md Markdown 107L · 6.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
@agentdocs1/mcp-server latest (unpinned) npm No CRITICAL: No version specified, fetched via npx -y
npx any npm No Used to execute unpinned external package

Security Positives

✓ No local script execution - all functionality is through documented MCP tools
✓ No direct filesystem access declared or required
✓ No credential harvesting or exfiltration observed in the skill files themselves
✓ Capabilities are relatively well-documented in SKILL.md