uplo-consulting 安全扫描报告 — 低风险 | ClawSafe

15 /100

uplo-consulting

AI-powered consulting knowledge management. Search engagement records, methodology frameworks, deliverable templates, and best practices with structured extraction.

This is a legitimate consulting knowledge management MCP skill with no malicious code or hidden behavior. Minor supply chain concern exists due to unpinned npx execution for the MCP server dependency.

技能名称uplo-consulting

分析耗时41.8s

引擎pi

✓

可以安装

Consider pinning the @agentdocs1/mcp-server version (e.g., @agentdocs1/[email protected]) in skill.json to prevent unexpected updates. Otherwise, the skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned MCP server dependency 供应链 The skill uses 'npx -y @agentdocs1/mcp-server' without specifying a version. This means different versions could be executed on different runs, potentially introducing malicious code via a compromised package or dependency. `"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"]` → Pin to a specific version: npx -y @agentdocs1/[email protected] or however the package is versioned	`skill.json:19`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access declared or needed
网络访问	`READ`	`READ`	✓ 一致	MCP server communicates with UPLO instance via HTTP transport
命令执行	`NONE`	`WRITE`	✓ 一致	Uses npx to execute MCP server (shell:WRITE), but this is declared in skill.json…
环境变量	`NONE`	`READ`	✓ 一致	Reads AGENTDOCS_URL and API_KEY from config, which is necessary for MCP authenti…
技能调用	`READ`	`READ`	✓ 一致	MCP tools (search_knowledge, export_org_context, etc.) are declared and document…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	Database access goes through MCP server to UPLO service

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-uplo-consulting-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-consulting

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/MCP-21_tools-green

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/schemas-4-orange

README.md:7

🔗

中危外部 URL 外部 URL

https://uplo.ai/schemas

README.md:7

🔗

中危外部 URL 外部 URL

https://your-instance.uplo.ai

README.md:24

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-professional-services

README.md:60

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-knowledge-management

README.md:61

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/uplo-accounting

README.md:62

🔗

中危外部 URL 外部 URL

https://app.uplo.ai

skill.json:17

目录结构

4 文件 · 11.0 KB · 227 行

Markdown 3f · 178L JSON 1f · 49L

├─ 📝 identity-patch.md Markdown 9L · 1.7 KB

├─ 📝 README.md Markdown 70L · 2.8 KB

├─ 📋 skill.json JSON 49L · 1.2 KB

└─ 📝 SKILL.md Markdown 99L · 5.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@agentdocs1/mcp-server`	`latest (unpinned)`	npm	否	Version not pinned - uses npx -y without version specifier

安全亮点

✓ No scripts or executable code included in the skill package

✓ All capabilities are clearly documented in SKILL.md

✓ API key is used only for legitimate UPLO service authentication

✓ No credential harvesting or exfiltration detected

✓ No obfuscated code or base64 execution

✓ No attempts to access sensitive local files (~/.ssh, ~/.aws, .env)

✓ Identity patch is legitimate persona modification for consulting context

✓ No reverse shell, C2, or data theft indicators