ClawHub

Uplo Defense

Security checks across malware telemetry and agentic risk

Overview

This defense knowledge skill is coherent, but it handles highly sensitive defense and personnel data with broad export and logging features that need careful review before use.

Install only in an approved UPLO environment for the sensitivity of the data. Pin and review the MCP package version, use least-privilege tokens, confirm server-side clearance and need-to-know enforcement, restrict export_org_context, and define logging retention, redaction, and audit access before connecting mission, personnel, clearance, or ITAR/EAR data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly markets search over personnel data and ITAR-controlled information but provides no warning about legal, privacy, export-control, or access-control obligations. In a defense-focused skill, normalizing broad AI access to regulated and highly sensitive data increases the risk of misuse, unauthorized disclosure, and noncompliant deployment by users who may assume the integration is safe by default.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Advertising an `export_org_context` capability for a full organizational context snapshot without any cautionary language encourages bulk extraction of potentially sensitive enterprise and defense data. In this context, export functionality materially raises the blast radius of a compromise or misuse because it enables large-scale aggregation and exfiltration rather than narrow, need-to-know retrieval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly recommends `export_org_context`, which exposes program office structure, IPT leads, key subcontractors, and systems of record, but does not pair that guidance with an explicit warning to minimize scope, verify need-to-know, or avoid unnecessary export of personnel and contractor data. In a defense setting, organizational structure and subcontractor relationships are sensitive metadata that can facilitate insider abuse, targeting, supply-chain mapping, or overcollection beyond the user's immediate task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal