Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplo Architecture
v1.0.0AI-powered architecture knowledge management. Search building designs, code compliance records, project specifications, and BIM data with structured extraction.
⭐ 0· 109·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide architecture/BIM knowledge management and its SKILL.md, README, and skill.json all describe connectors and search tools for that domain. Requiring an UPLO instance URL and API key (in skill.json) is consistent with that purpose. However, the registry metadata shown to you earlier lists no required env vars/credentials while skill.json requires agentdocs_url and api_key — this mismatch is a packaging/metadata incoherence that should be resolved.
Instruction Scope
Runtime instructions tell the agent to call mcporter commands to fetch identity context, run semantic search, export org context, and log conversations. Those actions will transmit queries, organizational context, and conversation summaries to the external MCP endpoint. That behavior is expected for a knowledge connector but is also a potential data-exfiltration vector — verify you are comfortable sending sensitive project/specification data and conversation logs to the configured UPLO endpoint.
Install Mechanism
There is no separate install script in the registry, but skill.json's mcp block uses npx -y @agentdocs1/mcp-server to launch the MCP server. Running npx will fetch and execute code from npm (package @agentdocs1/mcp-server). This is a common pattern for MCP adapters but carries moderate supply-chain risk: confirm the npm package and publisher are trusted and review the package's repository/releases if possible.
Credentials
The only sensitive configuration required (per skill.json and README) is an UPLO instance URL (agentdocs_url) and an API key (api_key), which are proportional to the connector's function. But the registry metadata you were shown lists no required env vars — that discrepancy is concerning and could mislead admins about what secrets will be needed or transmitted.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges in the provided files. It describes starting an MCP server scoped to the skill; autonomous invocation is allowed (default) but not unusual for connectors. There is no evidence it modifies other skills or system settings.
What to consider before installing
Before installing, confirm the following: (1) The skill.json requires an UPLO instance URL and an API key — verify that the registry/package metadata accurately documents this and that you intend to provide those credentials. (2) The MCP adapter will be run via npx @agentdocs1/mcp-server; review and trust that npm package and its publisher (check the package repo, maintainers, and recent releases). (3) The SKILL.md directs the agent to fetch org context and to log conversations back to the UPLO endpoint — ensure your organization permits sending project files, specifications, and conversation logs to that external service and that classification rules will be enforced. (4) Ask the skill author/owner to fix the registry metadata mismatch (declare required env/config fields) and to provide a canonical homepage or source repo so you can audit the adapter package. If the package and endpoint are verified trusted and metadata is corrected, this skill appears coherent for its stated purpose; otherwise proceed with caution or request more info.Like a lobster shell, security has layers — review code before you run it.
latestvk97553tbhj9kecd7325hf6jsrx834e37
License
MIT-0
Free to use, modify, and redistribute. No attribution required.