uplo-banking Security Report — Low Risk | ClawSafe

20 /100

uplo-banking

AI-powered banking knowledge management. Search KYC records, regulatory reports, risk assessments, and loan processing documentation.

This is a legitimate banking knowledge management MCP skill with no malicious indicators, though it relies on an external npm package for its core functionality.

Skill Nameuplo-banking

Duration44.8s

Enginepi

✓

Safe to install

Accept for use. The skill relies on the external @agentdocs1/mcp-server package - verify the package integrity before production deployment.

Findings 2 items

Severity	Finding	Location
Low	External MCP server dependency Supply Chain The skill uses @agentdocs1/mcp-server from npm as its core implementation. This external package is not pinned to a specific version and could be modified. Users must trust the package maintainer. `"@agentdocs1/mcp-server"` → Pin the package version in skill.json (e.g., @agentdocs1/[email protected]) and verify package integrity before deployment.	`skill.json:6`
Low	No version pinning for npx package Supply Chain The skill runs 'npx -y @agentdocs1/mcp-server' which fetches the latest version each time. This could lead to unexpected behavior if the package is updated. `["-y", "@agentdocs1/mcp-server", "--http"]` → Specify an exact version: 'npx @agentdocs1/[email protected] --http'	`skill.json:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access documented or implemented
Network	`READ`	`READ`	✓ Aligned	MCP HTTP transport to configured UPLO instance
Shell	`NONE`	`WRITE`	✓ Aligned	skill.json:5 - npx command execution for MCP server startup
Environment	`READ`	`READ`	✓ Aligned	skill.json:20-24 - reads API_KEY and AGENTDOCS_URL from config

10 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-banking-blue

README.md:5

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-banking

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/schemas-5-orange

README.md:7

🔗

Medium External URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

Medium External URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:60

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-risk-management

README.md:61

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:62

🔗

Medium External URL 外部 URL

https://app.uplo.ai

skill.json:17

File Tree

4 files · 7.2 KB · 185 lines

Markdown 3f · 136L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.9 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 57L · 1.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@agentdocs1/mcp-server`	`*`	npm	No	Not version pinned - latest version fetched each time

Security Positives

✓ No scripts or custom code - purely declarative MCP configuration

✓ No base64-encoded content or obfuscation detected

✓ API key properly declared as secret in skill.json

✓ No credential harvesting or exfiltration patterns

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)

✓ No curl|bash or remote script execution

✓ No reverse shell or C2 indicators

✓ Network behavior matches documented functionality

✓ Classification tiers properly documented for sensitive banking data

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives