Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplo Clinical
v1.0.0AI-powered clinical operations intelligence spanning pharmaceutical development and healthcare delivery. Unified search across clinical trials, protocols, an...
⭐ 0· 124·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's functions (search_with_context, search_knowledge, get_directives, export_org_context, logging) align with a clinical knowledge-management product. The declared config in skill.json (agentdocs_url + api_key) is appropriate for connecting to a UPLO/MCP server. However, the registry metadata above lists 'required env vars: none' and 'primary credential: none', which contradicts skill.json and README that require an API key and URL.
Instruction Scope
SKILL.md instructs the agent to immediately pull identity context, check directives, run searches, and log pharmacovigilance sessions. Those actions are within the stated clinical operations scope. The instructions do require access to identity/clearance context and to log audit trails, which is expected for pharmacovigilance workflows, but also means the agent will handle sensitive identity and patient-related metadata — SKILL.md does state to respect classification tiers.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but README and skill.json indicate running an MCP server via 'npx @agentdocs1/mcp-server --http' and setting AGENTDOCS_URL/API_KEY. Using npx/npm to pull and run an MCP server is a moderate-risk install path because it will execute code from the npm package at runtime. The package name @agentdocs1/mcp-server should be verified (publisher, integrity, and intended behavior) before installation.
Credentials
The skill.json requires agentdocs_url and api_key (an MCP token) which are proportionate to the service, but the publicly visible registry metadata lists no required env vars/credentials — this mismatch is a red flag. The skill will have access to organization identity context and potentially sensitive clinical data when given the API key; ensure the API key has least privilege and is scoped to an appropriate environment (test/sandbox) before granting access.
Persistence & Privilege
always is false and the skill does not request system-wide persistent privileges. The skill's behavior is limited to interacting with the remote MCP/UPLO instance and logging to the knowledge base; it does not claim to modify other skills or global agent configs.
What to consider before installing
Before installing: (1) Note the inconsistency — the registry lists no required credentials but skill.json/README require a UPLO URL and an API key; confirm this is intentional and request updated metadata. (2) Treat the API key as sensitive: provision a scoped, least-privilege token (preferably for a non-production/sandbox instance) and confirm logging/audit locations and retention policies. (3) Verify the npm package '@agentdocs1/mcp-server' publisher and integrity before running npx (npm packages execute code during install/run). (4) Confirm organizational compliance (HIPAA/GxP) for sending identity context and clinical data to the configured UPLO instance and ensure classification tiers are enforced by the instance. (5) If you lack confidence in the publisher or need tighter control, run the MCP server in a sandbox environment and inspect network traffic and logs first. If the author cannot reconcile the metadata mismatch or provide provenance for the npx package, treat the skill as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk9727xgke16j1krj0tc4b40nwn835gd5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.