Security audit

Uplo Devops

Security checks across malware telemetry and agentic risk

Overview

This DevOps knowledge skill is mostly coherent, but it can expose and retain broad internal infrastructure context without clear scoping or user approval.

Install only with a least-privilege UPLO token and a trusted UPLO instance. Avoid full organization exports unless there is a clear approved need, and require confirmation before logging incident details or changing knowledge-base state. Review the external npm MCP server provenance and pin an audited version for production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is presented as a DevOps knowledge search and structured extraction tool, but it also declares the ability to export organizational context, which broadens access beyond the stated purpose. In a DevOps environment, organizational context can include sensitive internal architecture, procedures, and operational metadata, creating unnecessary data exposure and increasing blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The export_org_context capability is not justified by the manifest's stated search-focused DevOps use case and enables bulk extraction of organization-level data. In this context, that data may include runbooks, infrastructure details, incident procedures, and other sensitive operational knowledge that would be highly valuable for reconnaissance or exfiltration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises `export_org_context` as a full organizational context snapshot without any warning about the sensitivity of the exported data, access controls, or approval requirements. In a DevOps knowledge-management skill, such exports may include infrastructure details, runbooks, internal procedures, and other high-value operational metadata, increasing the risk of over-collection or unintended disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill recommends `export_org_context` as a normal workflow step without any warning, scope limitation, or justification tied to a specific user need. In a DevOps knowledge skill, organization-wide context can include sensitive architecture, service ownership, incident history, and possibly operational metadata that should be minimized and disclosed before export.

Ssd 3

Medium

Confidence: 85% confidence
Finding: The session-start guidance normalizes loading identity context, team assignments, on-call status, access tier, and directives up front, even though the skill itself notes some production configuration and credential documentation are restricted. This broad default collection increases exposure of sensitive operational context beyond what may be necessary for a given request and can enable overbroad retrieval behavior.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Presenting organization-wide context export as a routine migration-planning step without data-minimization constraints invites unnecessary bulk access and propagation of sensitive infrastructure knowledge. In this context, exported org data may reveal dependencies, architecture, escalation paths, and operational history that materially increase organizational risk if mishandled.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instruction to use `log_conversation` after every incident investigation encourages default retention of operational details, including outage characteristics, root causes, infrastructure settings, and potentially sensitive incident data. Without guidance on sanitization, retention limits, or access control, this creates a durable repository of high-value operational intelligence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.