ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uplo Education

v1.0.0

AI-powered education knowledge management. Search curriculum documents, student records frameworks, accreditation data, and institutional research with struc...

0· 127·0 current·0 all-time
by@roojenkins
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, and skill.json all describe an UPLO connector for institutional education knowledge (search, GraphRAG, exports). The required config (agentdocs_url and api_key in skill.json) is coherent with a connector to an external UPLO/agentdocs service.
Instruction Scope
SKILL.md instructs the agent to call domain-specific tools (search_knowledge, search_with_context, export_org_context, etc.) and to respect data classification and FERPA. It does not instruct reading unrelated system files, scanning local creds, or exfiltrating data to unexpected endpoints within the provided text.
!
Install Mechanism
There is no explicit install spec in the registry record, but skill.json config instructs launching an MCP server via `npx @agentdocs1/mcp-server --http`. That will download and execute a scoped npm package at runtime. Using npx to fetch and run code is a legitimate connector pattern but is higher risk than an instruction-only skill because it pulls third‑party code from the npm registry; the package scope (@agentdocs1) is not a widely-known public project in this manifest, so you should verify the package's origin and contents before enabling.
Credentials
skill.json declares two required configs: agentdocs_url and api_key (an MCP token). Those are proportionate for a connector to an external UPLO instance. However, the top-level 'Requirements' section in the registry summary stated 'Required env vars: none' which contradicts skill.json. This metadata inconsistency could lead to confusion during install or inadvertent misconfiguration.
Persistence & Privilege
The skill is not always-enabled and does not request special system paths or persistent privileges. It uses the normal MCP model invocation flow; autonomous invocation is permitted (platform default) and appropriate for this connector.
What to consider before installing
This skill appears to be a legitimate connector to an UPLO/AgentDocs knowledge service, but take these precautions before installing: - Verify the source: ask the publisher for a homepage or repository and review the @agentdocs1/mcp-server npm package code (or vendor-supplied binaries) before allowing the agent to run npx to fetch it. - Resolve the metadata inconsistency: the registry summary says no env vars are required but skill.json requires agentdocs_url and api_key. Confirm you will provide a properly scoped API key and correct instance URL. - Use least-privilege credentials: create an API key scoped only to the data and operations this skill needs (read/search, limited write if propose_update/flag_outdated are enabled). Ensure audit logging is enabled on the UPLO instance. - Run first in an isolated/test environment: because npx will download and execute remote code, enable the skill initially in a sandboxed agent or with network egress controls. - Confirm FERPA/data handling expectations: the skill will surface institutional/student data—make sure that classification tiers, access controls, and data retention policies meet your compliance requirements. If the vendor cannot point you to a verifiable package source or explain why the registry metadata omits the required creds, do not enable the skill until you have that information.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fh9gvqsy4z070mvt6vh2mw18383bk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments