uplo-customer-success 安全扫描报告 — 低风险 | ClawSafe

5 /100

uplo-customer-success

AI-powered customer success knowledge management. Search account health data, onboarding records, renewal tracking, and support escalation documentation with structured extraction.

This is a legitimate UPLO customer success knowledge management MCP skill with no malicious indicators - only documentation and configuration files, no executable scripts, and standard MCP protocol usage.

技能名称uplo-customer-success

分析耗时40.9s

引擎pi

✓

可以安装

This skill is safe to use. Ensure the UPLO instance URL uses HTTPS in production, and follow standard API key rotation practices.

安全发现 2 项

严重性	安全发现	位置
低危	External MCP server dependency 供应链 The skill uses 'npx -y @agentdocs1/mcp-server' to bootstrap an external MCP server. While this is standard for MCP tools, it downloads code at runtime. `"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin the @agentdocs1/mcp-server version in production for reproducibility	`skill.json:13`
提示	HTTP URL placeholder in config 文档欺骗 The configuration example uses an HTTP URL placeholder. Production deployments should use HTTPS. `"agentdocs_url": "https://app.uplo.ai"` → Ensure production instances use HTTPS endpoints	`skill.json:17`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access declared or inferred - MCP tool operates via remote service
网络访问	`READ`	`READ`	✓ 一致	skill.json:17-18 - HTTP transport to configured UPLO instance URL
命令执行	`NONE`	`NONE`	—	No direct shell execution - only npx for MCP server bootstrap
环境变量	`NONE`	`NONE`	—	Only AGENTDOCS_URL and API_KEY injected for MCP server, not iterated or exfiltra…
技能调用	`READ`	`READ`	✓ 一致	skill.json:21-25 - 5 capabilities declared (search_knowledge, search_with_contex…

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-customer-success-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-customer-success

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-4-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-customer-360

README.md:60

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:61

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:62

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 10.8 KB · 217 行

Markdown 3f · 168L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.8 KB

├─ 📝 README.md Markdown 70L · 2.8 KB

├─ 📋 skill.json JSON 49L · 1.3 KB

└─ 📝 SKILL.md Markdown 89L · 4.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`latest (unpinned)`	npm (via npx)	否	Version not pinned - installed via npx -y at runtime

安全亮点

✓ No executable scripts or code files present - only documentation

✓ No credential harvesting or exfiltration detected

✓ No obfuscation techniques (base64, eval, etc.)

✓ Capabilities are clearly documented and match implementation

✓ Uses standard MCP protocol with HTTP transport

✓ API key is used only for service authentication, not exfiltrated

✓ No sensitive file/path access (SSH, AWS, .env files)

✓ No reverse shell, C2 communication, or data theft patterns