uplo-defense 安全扫描报告 — 高风险 | ClawSafe

72 /100

uplo-defense

AI-powered defense knowledge management for ITAR-controlled information, personnel data, and mission documentation

This defense knowledge management skill presents significant supply chain and data exfiltration risks through unpinned npm package execution and external transmission of potentially sensitive defense information.

技能名称uplo-defense

分析耗时54.5s

引擎pi

⛔

不要安装此技能

Avoid using this skill in production defense environments. The use of npx -y without version pinning creates a critical supply chain vulnerability. Consider alternatives that run entirely local or use version-pinned, audited dependencies.

攻击链 4 步

⬡

提权 User installs skill from clawhub/registry

README.md:35

⬡

提权 Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin

skill.json:15

⬡

提权 Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package)

npm registry

◉

影响 Malicious MCP server receives API_KEY and defense data, exfiltrates to attacker-controlled endpoint

runtime

安全发现 4 项

严重性	安全发现	位置
高危	Unpinned npm package execution via npx -y 供应链 The skill executes @agentdocs1/mcp-server using 'npx -y' without any version pinning. This means any version of this package could be executed, including malicious versions that could be published at any time. The package name 'agentdocs1' also appears suspicious - it's not a clearly established vendor and could be a typosquatting target. `"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin to specific version: npx @agentdocs1/[email protected] or better yet, use a local installation with verified hash	`skill.json:15`
高危	Defense-sensitive data routed to external third-party service 数据外泄 The skill is designed to query ITAR-controlled technical data, personnel security clearances, mission planning documents, and logistics records. This sensitive defense information is transmitted to an external UPLO service operated by a third party. This raises significant CUI/SPII/FOIA concerns and potential ITAR/EAR violations. `Search mission documentation, logistics records, personnel data, and ITAR-controlled information` → Never route controlled defense data through external third-party services. Use local-only deployment.	`SKILL.md:1`
中危	API key exposed to external MCP server process 凭证窃取 The user's API_KEY is passed directly as an environment variable to the externally-fetched npm package. This creates an opportunity for credential harvesting by a compromised or malicious package. `"API_KEY": "${config.api_key}"` → Use credential injection mechanisms that don't expose secrets as environment variables to third-party processes	`skill.json:21`
低危	Identity patch file adds undeclared behavioral directives 文档欺骗 The identity-patch.md file contains behavioral instructions ('always query UPLO first', 'verify clearance and need-to-know') that are not declared in the main SKILL.md capabilities list. While not malicious, this hidden instruction layer could be used to subtly manipulate AI behavior. `always query UPLO first to provide answers grounded in your organization's actual defense operations` → Declare all behavioral instructions in the main SKILL.md file for transparency	`identity-patch.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	skill.json:15-23 - MCP server configured with HTTP transport to external URL
环境变量	`READ`	`READ`	✓ 一致	skill.json:20-22 - API_KEY passed as env var to external service
命令执行	`NONE`	`WRITE`	✗ 越权	skill.json:14 - npx -y executes arbitrary npm package code

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-defense-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-defense

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-5-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:60

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:61

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-agriculture

README.md:62

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 12.0 KB · 235 行

Markdown 3f · 186L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.8 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 107L · 6.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`latest (unpinned)`	npm	否	CRITICAL: No version specified, fetched via npx -y
`npx`	`any`	npm	否	Used to execute unpinned external package

安全亮点

✓ No local script execution - all functionality is through documented MCP tools

✓ No direct filesystem access declared or required

✓ No credential harvesting or exfiltration observed in the skill files themselves

✓ Capabilities are relatively well-documented in SKILL.md