Uplo Education

Security checks across malware telemetry and agentic risk

Overview

This is a coherent UPLO education knowledge-base integration, but it should be installed only with approved endpoints and scoped credentials because it can access sensitive institutional data.

Install this only for your institution's approved UPLO instance. Use a scoped MCP token, confirm HTTPS endpoint ownership, and make sure FERPA/classification controls and any write-back tools such as flag_outdated or propose_update are governed by your normal authorization and audit process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest requires a secret API token and connects to a remote MCP endpoint over HTTP transport, but it provides no explicit user-facing disclosure that credentials will be sent to an external service and that knowledge data may leave the local environment. In an education-focused skill handling curriculum, accreditation, and potentially student-related records, this creates a meaningful risk of unintended credential exposure and sensitive data transmission to a third-party service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal