uplo-compliance 安全扫描报告 — 低风险 | ClawSafe

15 /100

uplo-compliance

AI-powered compliance intelligence spanning legal, financial, and government regulatory requirements

This is a legitimate compliance intelligence skill with documented MCP server integration and external API connectivity. Minor supply chain concern from unpinned npx dependency.

技能名称uplo-compliance

分析耗时37.0s

引擎pi

✓

可以安装

Pin the @agentdocs1/mcp-server package to a specific version (e.g., npx -y @agentdocs1/[email protected]) to prevent supply chain attacks from malicious updates.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned MCP Server Dependency 供应链 The skill uses 'npx -y @agentdocs1/mcp-server' without pinning to a specific version. This allows the package to be updated to a potentially malicious version between executions. `"args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin to a specific version: npx -y @agentdocs1/[email protected]	`skill.json:18`
低危	External API Key Required 敏感访问 The skill requires users to provide an API_KEY for the UPLO service. Users should ensure this key has minimal required permissions. `"api_key": {"type": "string", "required": true, "secret": true}` → Use a scoped API key with least privilege access to the compliance knowledge base only	`skill.json:14`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	skill.json:17-21 - MCP server connects to external UPLO instance
技能调用	`WRITE`	`WRITE`	✓ 一致	skill.json:25-28 - MCP tools (search_knowledge, search_with_context, etc.)
文件系统	`NONE`	`NONE`	—	No filesystem operations detected in documentation
命令执行	`NONE`	`NONE`	—	npx command is for package execution, not user shell access

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-compliance-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-compliance

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-21-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-environmental

README.md:62

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-government

README.md:63

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:64

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 11.7 KB · 231 行

Markdown 3f · 182L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.8 KB

├─ 📝 README.md Markdown 72L · 2.8 KB

├─ 📋 skill.json JSON 49L · 1.3 KB

└─ 📝 SKILL.md Markdown 101L · 5.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`*`	npm	否	Version not pinned - supply chain risk

安全亮点

✓ No shell execution or subprocess calls to user environment

✓ No credential harvesting beyond what the service requires

✓ No base64 encoding, obfuscation, or anti-analysis patterns

✓ Documentation clearly describes all MCP tools and their purpose

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ API key is marked as secret in skill.json config