uplo-agriculture Security Report — Low Risk | ClawSafe

15 /100

uplo-agriculture

AI-powered agricultural knowledge management. Search crop management records, livestock data, compliance documentation, and sustainability reports.

This is a legitimate agricultural knowledge management skill using the MCP protocol with no malicious code present, though the unversioned npx package dependency poses a minor supply chain risk.

Skill Nameuplo-agriculture

Duration52.4s

Enginepi

✓

Safe to install

Consider pinning the MCP server version (e.g., `@agentdocs1/[email protected]` instead of `@agentdocs1/mcp-server`) to prevent unexpected updates. Otherwise safe to use.

Findings 1 items

Severity	Finding	Location
Low	Unpinned MCP server package version Supply Chain The skill installs @agentdocs1/mcp-server using npx -y without version pinning, allowing any version to be installed. This could lead to unexpected behavior if the package is updated. `"args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin the package version: @agentdocs1/[email protected] or @agentdocs1/[email protected]	`skill.json:22`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	HTTP transport to configured UPLO endpoint via MCP protocol
Environment	`READ`	`READ`	✓ Aligned	Reads AGENTDOCS_URL and API_KEY from config/env
Filesystem	`NONE`	`NONE`	—	No filesystem access declared or observed
Shell	`NONE`	`NONE`	—	No shell commands executed; mcporter calls are tool invocations
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	Uses mcporter to invoke UPLO MCP tools

10 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-agriculture-blue

README.md:5

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-agriculture

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/schemas-4-orange

README.md:7

🔗

Medium External URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

Medium External URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-environmental

README.md:60

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:61

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-sustainability

README.md:62

🔗

Medium External URL 外部 URL

https://app.uplo.ai

skill.json:17

File Tree

4 files · 7.2 KB · 185 lines

Markdown 3f · 136L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.7 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 57L · 1.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@agentdocs1/mcp-server`	`unpinned`	npx	No	Package version not specified - any version may be installed

Security Positives

✓ Well-documented SKILL.md with clear scope and purpose

✓ API key declared as secret in config, not hardcoded

✓ No direct filesystem, shell, or sensitive path access

✓ No credential harvesting or data exfiltration code

✓ No obfuscation patterns (base64, eval, etc.)

✓ Uses legitimate MCP protocol standard

✓ No suspicious network connections beyond declared MCP endpoint

✓ Classification tier controls documented

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives