Uplo Construction
v1.0.0AI-powered construction knowledge management. Search project documents, safety compliance records, permits, building codes, and RFIs with structured extraction.
⭐ 0· 133·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (construction knowledge/search) align with the declared capabilities (search_knowledge, search_with_context, get_directives, export_org_context). The skill.json requires an UPLO instance URL and API key — which are appropriate and expected for a connector to an external knowledge service.
Instruction Scope
SKILL.md directs the agent to call MCP tools (get_identity_context, get_directives, search_knowledge, search_with_context, flag_outdated, export_org_context, etc.). It does not instruct the agent to read arbitrary local files or unrelated environment variables, nor to transmit data to unexpected endpoints beyond the configured UPLO MCP URL. It does instruct use of identity/context mapping and logging of sessions (expected for a knowledge base connector).
Install Mechanism
This skill is instruction-only in the registry, but skill.json and README indicate the MCP is launched via `npx -y @agentdocs1/mcp-server --http` with env vars for AGENTDOCS_URL and API_KEY. Using npx means the runtime will pull an npm package on demand — a commonly used but higher-risk install mechanism than pure instruction-only skills because it executes code from a package registry. The package namespace (@agentdocs1) looks plausible for a vendor connector, but there is no homepage/source URL in the registry metadata to validate the package origin.
Credentials
The only required secrets defined in skill.json are agentdocs_url and api_key (MCP token). Those are proportionate for a connector that queries an external document store. Note: the registry summary at the top incorrectly showed 'Required env vars: none' — that conflicts with skill.json and README which require the API key and URL. This appears to be a metadata extraction mismatch rather than a design mismatch.
Persistence & Privilege
always is false and the skill can be invoked normally by the model (disable-model-invocation=false), which is the platform default. The skill does not request persistent, system‑wide privileges or to modify other skills' configs.
Assessment
This skill appears to be a legitimate connector to an UPLO MCP service and requires an instance URL and an API key — which is appropriate. Before installing: 1) Confirm the UPLO service hostname (agentdocs_url) and the npm package (@agentdocs1/mcp-server) are from a trusted vendor or your organization; there is no homepage/source URL in the registry entry. 2) Use a least-privileged, revocable API key (short-lived or scoped) rather than a broad long-lived token. 3) Expect the skill to access project documents and identity/context information — ensure that you are comfortable with the agent logging sessions and that logging/retention policies meet your compliance needs. 4) Review the @agentdocs1/mcp-server package (or host your own MCP server instance) if you want to avoid pulling code via npx at install time. 5) Note the registry metadata contains a mismatch (it shows no required env vars while skill.json requires agentdocs_url and api_key) — treat the skill.json/README as the authoritative source and verify configuration before enabling in production.Like a lobster shell, security has layers — review code before you run it.
latestvk97czkq9fnqvk9t4x4f9br9fsx835ys4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.