uplo-banking 安全扫描报告 — 低风险 | ClawSafe

20 /100

uplo-banking

AI-powered banking knowledge management. Search KYC records, regulatory reports, risk assessments, and loan processing documentation.

This is a legitimate banking knowledge management MCP skill with no malicious indicators, though it relies on an external npm package for its core functionality.

技能名称uplo-banking

分析耗时44.8s

引擎pi

✓

可以安装

Accept for use. The skill relies on the external @agentdocs1/mcp-server package - verify the package integrity before production deployment.

安全发现 2 项

严重性	安全发现	位置
低危	External MCP server dependency 供应链 The skill uses @agentdocs1/mcp-server from npm as its core implementation. This external package is not pinned to a specific version and could be modified. Users must trust the package maintainer. `"@agentdocs1/mcp-server"` → Pin the package version in skill.json (e.g., @agentdocs1/[email protected]) and verify package integrity before deployment.	`skill.json:6`
低危	No version pinning for npx package 供应链 The skill runs 'npx -y @agentdocs1/mcp-server' which fetches the latest version each time. This could lead to unexpected behavior if the package is updated. `["-y", "@agentdocs1/mcp-server", "--http"]` → Specify an exact version: 'npx @agentdocs1/[email protected] --http'	`skill.json:17`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access documented or implemented
网络访问	`READ`	`READ`	✓ 一致	MCP HTTP transport to configured UPLO instance
命令执行	`NONE`	`WRITE`	✓ 一致	skill.json:5 - npx command execution for MCP server startup
环境变量	`READ`	`READ`	✓ 一致	skill.json:20-24 - reads API_KEY and AGENTDOCS_URL from config

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-banking-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-banking

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-5-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:60

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-risk-management

README.md:61

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:62

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 7.2 KB · 185 行

Markdown 3f · 136L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.9 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 57L · 1.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`*`	npm	否	Not version pinned - latest version fetched each time

安全亮点

✓ No scripts or custom code - purely declarative MCP configuration

✓ No base64-encoded content or obfuscation detected

✓ API key properly declared as secret in skill.json

✓ No credential harvesting or exfiltration patterns

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)

✓ No curl|bash or remote script execution

✓ No reverse shell or C2 indicators

✓ Network behavior matches documented functionality

✓ Classification tiers properly documented for sensitive banking data