安全决策报告
uplo-legal
Skill implements legitimate MCP-based legal knowledge management but exhibits supply chain risk through unpinned npx package installation without explicit capability declarations.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 10 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Unpinned npx package dependency +20
@agentdocs1/mcp-server fetched without version or hash pinning, enabling supply chain attacks
Dynamic package installation via npx -y +12
npx -y bypasses user confirmation to install arbitrary packages at runtime
No explicit allowed-tools declaration +10
SKILL.md shows mcporter call commands but doesn't explicitly declare shell:WRITE permission
最关键的证据
中危 供应链
Unpinned npm package dependency
The skill references @agentdocs1/mcp-server without pinning to a specific version or integrity hash. This allows an attacker to publish a malicious update under the same package name.
skill.json:19 Pin the package to a specific version with integrity hash: @agentdocs1/[email protected]#sha256:...
中危 供应链
Dynamic package installation via npx -y
The npx -y flag bypasses user confirmation and installs the package from npm registry at runtime without verification. This is a common supply chain attack vector.
skill.json:19 Pre-install the package and reference the local path, or use npm pack with integrity verification
低危 文档欺骗
Missing allowed-tools declaration
SKILL.md shows mcporter call bash invocations but does not explicitly declare shell:WRITE as an allowed capability, creating a doc-to-code mismatch.
SKILL.md:16 Add explicit allowed-tools declaration for shell:WRITE in skill.json capabilities or document the shell usage explicitly
低危 供应链
Package namespace observation
The package @agentdocs1 is under a personal/organizational namespace which may be more susceptible to typosquatting than official packages.
skill.json:19 Verify package ownership and consider using a verified/organizational package scope
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:16-44 - mcporter call invocations not declared in capabilities 网络访问 通过
声明 READ
→ 推断 READ
skill.json:19 - MCP transport via HTTP to configured endpoint 文件系统 通过
声明 NONE
→ 推断 NONE
No file operations detected 可疑产物与外联
中危 外部 URL
https://img.shields.io/badge/ClawHub-uplo-legal-blue README.md:5
中危 外部 URL
https://clawhub.com/skills/uplo-legal README.md:5
中危 外部 URL
https://img.shields.io/badge/MCP-21_tools-green README.md:6
中危 外部 URL
https://img.shields.io/badge/schemas-8-orange README.md:7
中危 外部 URL
https://uplo.ai/schemas README.md:7
中危 外部 URL
https://your-instance.uplo.ai README.md:24
中危 外部 URL
https://clawhub.com/skills/uplo-compliance README.md:60
中危 外部 URL
https://clawhub.com/skills/uplo-environmental README.md:61
中危 外部 URL
https://clawhub.com/skills/uplo-knowledge-management README.md:62
中危 外部 URL
https://app.uplo.ai skill.json:12
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @agentdocs1/mcp-server | * | npm (npx) | 否 | Version not pinned - supply chain risk |
文件构成
4 个文件 · 174 行
Markdown 3 个文件 · 134 行JSON 1 个文件 · 40 行
需关注文件 · 3
README.md https://img.shields.io/badge/ClawHub-uplo-legal-blue · https://clawhub.com/skills/uplo-legal · https://img.shields.io/badge/MCP-21_tools-green · https://img.shields.io/badge/schemas-8-orange · https://uplo.ai/schemas · https://your-instance.uplo.ai · https://clawhub.com/skills/uplo-compliance · https://clawhub.com/skills/uplo-environmental · https://clawhub.com/skills/uplo-knowledge-management
SKILL.md Missing allowed-tools declaration
skill.json Unpinned npm package dependency · Dynamic package installation via npx -y · Package namespace observation · https://app.uplo.ai
其他文件 · identity-patch.md
安全亮点
API key config marked as secret=true in skill.json
No credential exfiltration patterns detected
No suspicious shell commands (reverse shells, curl piping, base64 execution)
No sensitive file access attempts (~/.ssh, ~/.aws, .env)
MCP server pattern is a legitimate industry-standard approach
No obfuscation or anti-analysis techniques detected
Clean codebase with no scripts directory