Uplo Energy

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent UPLO energy knowledge-base integration, but users should treat its searches and exports as sensitive because they can expose operational energy data.

Install only for a trusted UPLO instance. Use a least-privilege API token, verify the npm MCP package source, and avoid exposing restricted CEII, grid, safety, outage, or compliance data to untrusted agents or conversations. Confirm your organization's retention and logging rules before using context export or compliance-session logging.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill is configured to make remote HTTP(S) requests to a user-supplied UPLO instance and exposes capabilities such as search, policy retrieval, directives, and organization context export, but the manifest provides no explicit warning that prompts and potentially sensitive enterprise data may be sent off-platform. In an energy-sector context, this is more sensitive than generic web search because the referenced data may include grid, safety, regulatory, and operational information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal