ClawHub

Uplo Cybersecurity

Security checks across malware telemetry and agentic risk

Overview

This is a coherent UPLO cybersecurity knowledge-base connector, but it can access and export sensitive organizational security information.

Install only if you trust the UPLO instance and the MCP package it launches. Use a least-privilege UPLO token, confirm classification and clearance rules, review any organizational-context export before sharing it with auditors or third parties, and be deliberate about logging sensitive incident or vulnerability details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises an `export_org_context` capability as a full organizational context snapshot without any caution about sensitive data exposure, access controls, or privacy implications. In a cybersecurity knowledge-management skill, this is especially risky because the exported corpus may include threat intelligence, incident response content, internal configurations, and other high-value information that could be overshared or exfiltrated if users misunderstand the feature's sensitivity.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly recommends exporting organizational context to an auditor but does not instruct the user to verify data minimization, sensitivity, or authorization before doing so. In a cybersecurity knowledge system, organizational context can include ownership, internal structure, and other sensitive metadata that could exceed what an external party should receive, creating unnecessary disclosure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal