Uplo Construction

Security checks across malware telemetry and agentic risk

Overview

This construction knowledge skill is mostly coherent, but it should be reviewed because it can access confidential project data and instructs agents to create or alter project records without clear user approval.

Install only if you trust UPLO and the external MCP package, and use a least-privilege UPLO token. Before use, set a clear rule that the agent must ask before logging conversations, marking documents outdated, or exporting organizational context, especially for safety incidents, change orders, cost data, and litigation-sensitive records.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The manifest advertises a narrowly scoped construction knowledge search skill, but it also requests broader capabilities to export organizational context and retrieve directives. That mismatch can enable unnecessary access to sensitive internal data beyond user expectations, increasing the blast radius if the skill is misused or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal