ClawHub

Uplo Cybersecurity

v1.0.0

AI-powered cybersecurity knowledge management. Search threat intelligence, vulnerability assessments, incident response plans, and compliance documentation w...

0· 118·0 current·0 all-time
by@roojenkins
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (cybersecurity knowledge management) align with the declared capabilities (search_knowledge, search_with_context, export_org_context, get_directives) and the skill.json config requiring an agentdocs_url and api_key. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to load identity/clearance, run searches, log investigations, and export organizational context. These actions are appropriate for the described purpose, but a few instructions (export_org_context, log_conversation, get_identity_context) can produce large amounts of sensitive data — the file correctly calls out respecting classification tiers. Ensure the agent enforces clearance checks and that exporting org context is intentionally authorized.
Install Mechanism
There is no separate install spec, but skill.json contains an MCP runtime invocation that uses 'npx -y @agentdocs1/mcp-server'. Invoking the skill may fetch/run an npm package at runtime. This is a reasonable integration pattern but carries the typical risk of pulling code from npm; verify the package source and trustworthiness before enabling automatic runs.
Credentials
The skill requires an UPLO/AgentDocs endpoint and an API key (declared in skill.json config). Those credentials are directly proportional to the skill's purpose. There are no unrelated secrets requested. Note: the top-level metadata listed "required env vars: none" but the skill config does require agentdocs_url and api_key — that is an implementation/configuration requirement, not an unexplained secret request.
Persistence & Privilege
always is false and the skill does not request system-wide configuration or cross-skill modifications. It can be invoked autonomously (default), which is expected for skills; operators should consider limiting autonomous invocation if they are concerned about automatic export of sensitive context.
Assessment
This skill appears to do what it says: it connects to your UPLO/AgentDocs instance to provide cybersecurity search and logging. Before installing: 1) Verify and restrict the API token scope and rotate it regularly; 2) Confirm the agentdocs_url is a trusted, internal endpoint; 3) Review the npm package @agentdocs1/mcp-server (its source, maintainers, and recent versions) because the skill.json suggests npx will fetch it at runtime; 4) Limit or require approval for actions that export org context or log large amounts of sensitive data (export_org_context, log_conversation); and 5) Ensure the agent enforces clearance/TLP checks so data is only shown to authorized users. If you want lower risk, require manual invocation only or audit calls that produce exported context.

Like a lobster shell, security has layers — review code before you run it.

latestvk97acdh72pppz75eb3pxk1mmwx8341ww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments