Back to skill

Security audit

Uplo Compliance

Security checks across malware telemetry and agentic risk

Overview

This compliance skill is broadly purpose-aligned, but it needs Review because it can expose or persist sensitive organizational compliance context and runs an unpinned external MCP package with the user’s API token.

Install only if you trust UPLO and the @agentdocs1/mcp-server package. Use a least-privilege UPLO token, verify or pin the MCP package where possible, and require explicit approval before exporting org context, logging compliance summaries, or flagging/proposing changes to compliance records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting an `export_org_context` capability without prominent warnings or access-control guidance is risky because it implies bulk extraction of organizational knowledge, which may include confidential, regulated, or privileged information. In a compliance-focused skill, this context is especially sensitive and could enable large-scale data exposure if users over-trust the tool or configure it broadly.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README promotes unified search across compliance obligations, audit findings, and regulatory filings but does not warn that these sources can contain sensitive internal, confidential, or regulated data. In this skill context, omission of data-handling cautions can lead to unsafe deployment, overbroad ingestion, and accidental disclosure through AI tooling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly logs a summary of audit-prep work in a domain that routinely handles highly sensitive data, including audit findings, regulatory issues, control weaknesses, and potentially privileged compliance context. Without guidance to minimize, redact, or restrict logged content, users may persist sensitive operational or legal information into a broader conversation log or audit trail, increasing unauthorized disclosure and retention risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.