Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplo Energy
v1.0.0AI-powered energy sector knowledge management. Search power generation records, grid management data, regulatory filings, and safety protocols with structure...
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to connect to an UPLO knowledge base and exposes search/graph tools — requiring an UPLO URL and API key is reasonable. However, the registry metadata lists no required env vars while skill.json declares config entries (agentdocs_url and api_key). That mismatch is incoherent: the skill will expect credentials even though the registry says none.
Instruction Scope
SKILL.md instructs the agent to run domain-specific tools (search_with_context, search_knowledge, get_directives, etc.) and to verify identity and classification before querying CEII. It does not instruct arbitrary file reads, unrelated credential collection, or exfiltration to unexpected endpoints beyond the UPLO instance.
Install Mechanism
There is no formal install spec in the registry, but skill.json defines an MCP runtime that uses `npx -y @agentdocs1/mcp-server --http`. That implies the runtime will fetch and run an npm package at use-time. Dynamic npx pulls are higher-risk than pre-reviewed installs because they execute remote code; confirm the @agentdocs1/mcp-server package provenance and contents before allowing the skill to invoke it.
Credentials
Requesting an UPLO URL and API key is proportional to a knowledge-base client. The concern is the missing declaration in registry-level required env vars and the skill manifest relying on those secrets. The skill will pass AGENTDOCS_URL/API_KEY to the MCP server process; ensure the API key has least privilege and that the host URL is trusted.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistent privileges. It appears to run on demand and does not modify other skills or system-wide settings in the provided materials.
What to consider before installing
This skill appears to be a client for an UPLO knowledge base and legitimately needs an UPLO URL and API key — but the package has three red flags you should resolve before installing:
1) Registry metadata vs manifest mismatch: the registry claims no required env vars, yet skill.json requires agentdocs_url and api_key. Treat the skill as requiring credentials until you verify otherwise.
2) Dynamic npm execution: the skill manifest runs `npx @agentdocs1/mcp-server`. That will fetch and execute a remote npm package at runtime. Verify the package name, its publisher, and inspect its source (or ask the vendor for a signed release) before allowing execution.
3) Unknown origin/homepage: the skill's source/homepage fields are empty even though README references uplo.ai. Verify the publisher identity (is this the official UPLO distribution?) and prefer skills with a clear source and release artifacts.
Practical steps:
- Confirm the publisher and check the npm package (@agentdocs1/mcp-server) source and recent versions.
- Only provide an API key scoped with the minimum permissions and with an expiry/rotation policy, and point AGENTDOCS_URL to a trusted domain (prefer your organization's instance).
- If possible, sandbox the skill’s MCP process or audit network activity when first running it.
- If you need stronger assurance, ask the maintainer to update registry metadata to declare required env vars and provide a pinned, reviewable install artifact rather than implicit npx execution.
If you cannot verify the package provenance or the publisher, treat this skill as higher-risk and do not provide sensitive credentials or CEII data to it.Like a lobster shell, security has layers — review code before you run it.
latestvk9751z1x3jjyn2b87zew6y16m9839c4k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.