uplo-devops 安全扫描报告 — 低风险 | ClawSafe

12 /100

uplo-devops

AI-powered DevOps knowledge management. Search runbooks, infrastructure documentation, CI/CD pipelines, and incident response procedures with structured extraction.

UPLO DevOps is a legitimate knowledge management skill that uses standard MCP server patterns with declared network and credential access. No malicious behavior detected.

技能名称uplo-devops

分析耗时28.9s

引擎pi

✓

可以安装

Approve for use. Ensure the agentdocs_url points to a trusted internal UPLO instance rather than a third-party service.

安全发现 1 项

严重性	安全发现	位置
低危	MCP server downloaded at runtime via npx 供应链 The skill downloads @agentdocs1/mcp-server via npx -y at runtime. This is standard MCP behavior but introduces a third-party dependency that could be replaced with a different package. `"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Consider vendoring the MCP server or pinning to a specific version with hash verification.	`SKILL.md:75`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	MCP HTTP transport to agentdocs_url
环境变量	`NONE`	`READ`	✓ 一致	AGENTDOCS_URL, API_KEY, DEFAULT_PACKS set in env
技能调用	`READ`	`READ`	✓ 一致	SKILL.md defines MCP tools: search_knowledge, search_with_context, etc.

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-devops-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-devops

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-5-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-engineering

README.md:60

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-enterprise-it

README.md:61

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:62

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 11.5 KB · 231 行

Markdown 3f · 182L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.8 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 103L · 5.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`latest (unpinned)`	npm (via npx)	否	Downloaded at runtime; version not pinned

安全亮点

✓ No shell execution, subprocess, or code execution vectors found

✓ No filesystem access beyond skill_invoke capability

✓ No credential harvesting or exfiltration patterns

✓ No base64 encoding, eval(), or obfuscation detected

✓ API key handling follows standard environment variable practices

✓ Documentation accurately describes functionality

✓ No hidden functionality or doc-to-code mismatch

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env