uplo-architecture Security Report — Low Risk | ClawSafe

20 /100

uplo-architecture

AI-powered architecture knowledge management. Search building designs, code compliance records, project specifications, and BIM data with structured extraction.

Legitimate MCP-based knowledge management skill with proper credential handling, though the supply chain dependency on @agentdocs1/mcp-server via npx introduces moderate third-party execution risk.

Skill Nameuplo-architecture

Duration70.6s

Enginepi

✓

Safe to install

Approve for use with standard sandboxing. Consider pinning @agentdocs1/mcp-server to a specific version in production to reduce supply chain risk.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm dependency via npx Supply Chain The skill executes @agentdocs1/mcp-server via 'npx -y' without version pinning. This allows any version to be downloaded at execution time, potentially introducing malicious code if the package is compromised. `"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin the dependency to a specific version: "@agentdocs1/[email protected]" to ensure reproducible and audited behavior.	`skill.json:19`
Low	Documentation capability mismatch Doc Mismatch SKILL.md, skill.json, and README.md list different capabilities. SKILL.md shows 5 tools, skill.json shows 5 different tools, README.md references 21 MCP tools. This inconsistency could hide additional functionality. `SKILL.md lists: search_knowledge, search_with_context, export_org_context, get_directives, log_conversation` → Unify capability documentation across SKILL.md, skill.json, and README.md to ensure transparency.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	MCP server makes HTTP requests to configured agentdocs_url
Environment	`NONE`	`READ`	✓ Aligned	API_KEY passed to external MCP server as configured secret
Shell	`NONE`	`WRITE`	✓ Aligned	npx execution is documented and necessary for MCP server startup

10 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-architecture-blue

README.md:5

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-architecture

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/schemas-4-orange

README.md:7

🔗

Medium External URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

Medium External URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-engineering

README.md:60

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:61

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:62

🔗

Medium External URL 外部 URL

https://app.uplo.ai

skill.json:17

File Tree

4 files · 7.1 KB · 185 lines

Markdown 3f · 136L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.7 KB

├─ 📝 README.md Markdown 70L · 2.7 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 57L · 1.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@agentdocs1/mcp-server`	`latest`	npm (npx)	No	Version not pinned - downloaded via npx -y at runtime

Security Positives

✓ No local code execution or script files present - purely a wrapper around external MCP server

✓ API key properly marked as secret in skill.json configuration

✓ No filesystem access declared or observed

✓ No credential harvesting or exfiltration patterns detected

✓ No obfuscation or base64-encoded execution

✓ No sensitive path access (ssh, aws, .env) observed

✓ MCP transport is documented and uses standard HTTP protocol

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives