Uplo Enterprise It
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches an enterprise IT knowledge-search purpose, but it deserves Review because it runs an unpinned external MCP package with an API key and can export broad organizational IT/security context.
Install only if you trust the UPLO tenant and the npm MCP package. Before use, pin or verify the package version, use a least-privilege API key, and avoid full organizational exports unless the user explicitly needs and approves them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised npm package update could access the user's UPLO token and the enterprise knowledge available through it.
The skill runs an unpinned npm MCP server package and passes it the UPLO API key; the reviewed artifacts do not include the package code or a pinned version.
"command": "npx", "args": ["-y", "@agentdocs1/mcp-server", "--http"], "env": { "AGENTDOCS_URL": "${config.agentdocs_url}", "API_KEY": "${config.api_key}" }Verify the npm package publisher and source, pin a specific reviewed version, and use a least-privilege UPLO token.
The agent could place a wide set of sensitive infrastructure, security, and architecture details into a conversation or report when a narrower search would be safer.
The skill exposes a broad export tool for a full organizational snapshot, but the instructions do not require explicit user confirmation, scope limits, redaction, or retention controls before use.
"export_org_context" — Full organizational snapshot. Use when preparing comprehensive reports like architecture review documents or security posture summaries
Use full-context export only after explicit user approval, scope it to the minimum needed packs/classification tiers, and redact secrets or restricted security details.
The skill can access enterprise knowledge permitted by the configured UPLO token.
The skill requires a secret UPLO MCP token, which is expected for this integration but grants access according to that token's permissions.
"api_key": { "type": "string", "required": true, "secret": true, "description": "Your UPLO MCP token" }Provide a least-privilege token, rotate it if exposed, and ensure its permissions match the intended users and classification tiers.
Sensitive enterprise search queries and results may pass through the configured UPLO MCP service.
Enterprise IT queries and returned context flow through a configured MCP endpoint; this is purpose-aligned but depends on the trustworthiness and security of that endpoint.
"mcp": { "transport": "http", "url": "${config.agentdocs_url}/mcp" }Use only a trusted UPLO tenant URL, prefer HTTPS, and confirm the MCP endpoint enforces authentication and classification boundaries.
Incorrect, stale, or overly broad directives in the knowledge base could influence the agent's technical recommendations.
The skill asks the agent to incorporate retrieved organizational directives into its answers, which is expected for this purpose but makes the quality and integrity of retrieved context important.
Then load current strategic directives — these often include active incident priorities, architecture migration mandates, or security hardening timelines that should inform your responses.
Verify critical operational or security recommendations against current owners, runbooks, and change-management procedures.