安全决策报告
uplo-defense
This defense knowledge management skill presents significant supply chain and data exfiltration risks through unpinned npm package execution and external transmission of potentially sensitive defense information.
最直接的威胁证据
01
User installs skill from clawhub/registry supply · README.md
02
Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin supply · skill.json
03
Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package) compromise · npm registry
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 10 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill from clawhub/registry
supply · README.md:35
02
Skill config triggers 'npx -y @agentdocs1/mcp-server' without version pin
supply · skill.json:15
03
Attacker publishes malicious version of @agentdocs1/mcp-server to npm (or typosquat package)
compromise · npm registry
04
Malicious MCP server receives API_KEY and defense data, exfiltrates to attacker-controlled endpoint
最终危害 · runtime
风险分是怎么被拉高的
Unpinned npm package via npx -y +35
@agentdocs1/mcp-server fetched without version pin - package could be replaced with malicious code at any time
Defense data sent to external third-party service +25
ITAR-controlled data, personnel records, security clearances routed through external UPLO service
API key passed to external service +12
User's API_KEY environment variable exposed to third-party MCP server
最关键的证据
高危 供应链
Unpinned npm package execution via npx -y
The skill executes @agentdocs1/mcp-server using 'npx -y' without any version pinning. This means any version of this package could be executed, including malicious versions that could be published at any time. The package name 'agentdocs1' also appears suspicious - it's not a clearly established vendor and could be a typosquatting target.
skill.json:15 Pin to specific version: npx @agentdocs1/[email protected] or better yet, use a local installation with verified hash
高危 数据外泄
Defense-sensitive data routed to external third-party service
The skill is designed to query ITAR-controlled technical data, personnel security clearances, mission planning documents, and logistics records. This sensitive defense information is transmitted to an external UPLO service operated by a third party. This raises significant CUI/SPII/FOIA concerns and potential ITAR/EAR violations.
SKILL.md:1 Never route controlled defense data through external third-party services. Use local-only deployment.
中危 凭证窃取
API key exposed to external MCP server process
The user's API_KEY is passed directly as an environment variable to the externally-fetched npm package. This creates an opportunity for credential harvesting by a compromised or malicious package.
skill.json:21 Use credential injection mechanisms that don't expose secrets as environment variables to third-party processes
低危 文档欺骗
Identity patch file adds undeclared behavioral directives
The identity-patch.md file contains behavioral instructions ('always query UPLO first', 'verify clearance and need-to-know') that are not declared in the main SKILL.md capabilities list. While not malicious, this hidden instruction layer could be used to subtly manipulate AI behavior.
identity-patch.md:1 Declare all behavioral instructions in the main SKILL.md file for transparency
声明能力 vs 实际能力
网络访问 通过
声明 READ
→ 推断 READ
skill.json:15-23 - MCP server configured with HTTP transport to external URL 环境变量 通过
声明 READ
→ 推断 READ
skill.json:20-22 - API_KEY passed as env var to external service 命令执行 阻止
声明 NONE
→ 推断 WRITE
skill.json:14 - npx -y executes arbitrary npm package code 可疑产物与外联
中危 外部 URL
https://img.shields.io/badge/ClawHub-uplo-defense-blue README.md:5
中危 外部 URL
https://clawhub.com/skills/uplo-defense README.md:5
中危 外部 URL
https://img.shields.io/badge/MCP-21_tools-green README.md:6
中危 外部 URL
https://img.shields.io/badge/schemas-5-orange README.md:7
中危 外部 URL
https://uplo.ai/schemas README.md:7
中危 外部 URL
https://your-instance.uplo.ai README.md:24
中危 外部 URL
https://clawhub.com/skills/uplo-knowledge-management README.md:60
中危 外部 URL
https://clawhub.com/skills/uplo-accounting README.md:61
中危 外部 URL
https://clawhub.com/skills/uplo-agriculture README.md:62
中危 外部 URL
https://app.uplo.ai skill.json:17
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @agentdocs1/mcp-server | latest (unpinned) | npm | 否 | CRITICAL: No version specified, fetched via npx -y |
| npx | any | npm | 否 | Used to execute unpinned external package |
文件构成
4 个文件 · 235 行
Markdown 3 个文件 · 186 行JSON 1 个文件 · 49 行
需关注文件 · 4
SKILL.md Defense-sensitive data routed to external third-party service
README.md https://img.shields.io/badge/ClawHub-uplo-defense-blue · https://clawhub.com/skills/uplo-defense · https://img.shields.io/badge/MCP-21_tools-green · https://img.shields.io/badge/schemas-5-orange · https://uplo.ai/schemas · https://your-instance.uplo.ai · https://clawhub.com/skills/uplo-knowledge-management · https://clawhub.com/skills/uplo-accounting · https://clawhub.com/skills/uplo-agriculture
identity-patch.md Identity patch file adds undeclared behavioral directives
skill.json Unpinned npm package execution via npx -y · API key exposed to external MCP server process · https://app.uplo.ai
安全亮点
No local script execution - all functionality is through documented MCP tools
No direct filesystem access declared or required
No credential harvesting or exfiltration observed in the skill files themselves
Capabilities are relatively well-documented in SKILL.md