Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplo Customer Success
v1.0.0AI-powered customer success knowledge management. Search account health data, onboarding records, renewal tracking, and support escalation documentation with...
⭐ 0· 110·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the capabilities declared inside skill.json (search_knowledge, search_with_context, export_org_context). Those capabilities legitimately require an UPLO instance URL and an API key (to query org data). However, the registry metadata claimed no required env vars/install spec, while skill.json and README do require config.agentdocs_url and config.api_key and describe running an MCP server via npx — this packaging discrepancy is an incoherence you should ask the publisher to explain.
Instruction Scope
The SKILL.md instructs the agent to call commands like get_identity_context, search_with_context, export_org_context, and log_conversation. export_org_context and get_identity_context imply assembling and exporting full organizational context (health scores, contract values, CSM ownership). While this is consistent with the stated purpose, these operations can surface highly sensitive data (contract values, PII, financials). The instructions rely on the agent to 'respect classification tiers' but leave discretionary judgment to the agent; that open-ended discretion increases risk of accidental over-sharing or exfiltration if misconfigured.
Install Mechanism
Registry metadata claims 'no install spec', but skill.json and README instruct launching an MCP server with npx @agentdocs1/mcp-server --http and setting AGENTDOCS_URL/API_KEY env vars. Running npx pulls an npm package at runtime (moderate risk). The package source (@agentdocs1/mcp-server) should be audited (package contents, publisher identity, recent versions). No direct URL downloads or archives are present, but npx still installs and runs external code on demand — verify the package and prefer pinned versions or vendor-reviewed installs.
Credentials
Skill.json requires config.agentdocs_url and a secret config.api_key (an MCP token) — these are appropriate for a knowledge-base integration, but they grant broad read (and likely write) access to organizational customer-success data. The registry did not list these required credentials, which is inconsistent. Treat the API key as highly sensitive: ensure least privilege, expiration/rotation, and that the endpoint is the correct trusted UPLO instance.
Persistence & Privilege
always:false (normal) and autonomous invocation is allowed by default (also normal). The mcp server invocation (npx @agentdocs1/mcp-server) will start a local/HTTP transport process that remains running while the skill is in use — this is expected for MCP-style skills but does create a persistent network endpoint. Confirm where the server runs (local process vs remote proxy) and what network access it requires.
What to consider before installing
What to check before installing: 1) Ask the publisher to explain the mismatch between the registry metadata (which lists no required env vars or install spec) and the shipped files (skill.json and README) that require an AGENTDOCS_URL and API_KEY and describe running npx @agentdocs1/mcp-server. 2) Treat the API key as highly sensitive — only supply a least-privilege token scoped to the data the skill truly needs, ensure it can be revoked/rotated, and verify the AGENTDOCS_URL is your organization's trusted UPLO instance. 3) Audit the npm package '@agentdocs1/mcp-server' (who publishes it, review its code or pin to a vetted version) before allowing npx to run it. 4) Confirm whether export_org_context or propose_update will transmit or write full org data anywhere external; require explicit constraints (no contract values or PII unless strictly necessary). 5) Prefer testing in an isolated environment with synthetic or scrubbed data, and monitor/log all MCP traffic while evaluating. 6) If you can't validate the package publisher or the token scope, do not provide production credentials. Note: absence of static scan findings is not proof of safety — the behavior here is driven by the integration token and external MCP server, so operational controls and publisher verification are essential.Like a lobster shell, security has layers — review code before you run it.
latestvk97644v3mp84vfw8yavrjgcbv1835rf9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.