Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplo Environmental
v1.0.0AI-powered environmental knowledge management. Search impact assessments, compliance monitoring data, sustainability reports, and environmental permits with...
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and README clearly describe an integration with an UPLO/MCP server and imply the need for an instance URL and API key. The included skill.json indeed declares config.agentdocs_url and config.api_key as required. However, the registry summary at the top lists no required env vars or primary credential — a direct mismatch. Requiring an endpoint URL and API token is coherent with the described purpose, but the metadata inconsistency is concerning and may indicate incomplete packaging or a metadata extraction error.
Instruction Scope
SKILL.md instructs the agent to load identity context and to call MCP tools (get_identity_context, search_knowledge, search_with_context, etc.). Those actions are coherent for a knowledge-base skill. Be aware that 'get_identity_context' will load agent identity/authorization context and queries will transmit user queries and extracted document content to the configured UPLO endpoint — expected for this integration but sensitive if the endpoint is external or untrusted.
Install Mechanism
This is an instruction-only skill (no code files), but skill.json / README direct the agent to run an MCP server via npx @agentdocs1/mcp-server --http. Using npx will fetch and execute code from the npm registry at runtime. That is a common pattern but carries moderate risk relative to a self-contained, vetted binary: it executes third-party code dynamically. There is no offline install spec or pinned release URL in the package; verify the npm package source and integrity before allowing execution.
Credentials
The skill requires an agentdocs_url and an API key (sensitive secret) to function, which matches the purpose of contacting an organization-specific UPLO instance. However, the registry's declared requirements omitted these, creating a mismatch. The API key gives the skill access to organizational environmental data via the remote MCP endpoint — this is proportionate for the described capability but is high-sensitivity access and should only be granted to a trusted endpoint and vetted package.
Persistence & Privilege
The skill does not request always: true and does not claim to modify other skills or system-wide settings. It is invocable by the user and can be invoked autonomously by the agent (platform default). No elevated or persistent system privileges are requested in the provided files.
What to consider before installing
This skill is designed to connect your agent to an UPLO/MCP knowledge instance and that requires providing an instance URL and a sensitive API key. Before installing: (1) confirm the skill source and owner (the registry metadata lacks a homepage and the owner ID is opaque); (2) verify the npm package @agentdocs1/mcp-server (review its repository, versions, and recent changes) because the agent will run it via npx; (3) ensure the agentdocs_url points to a trusted, internal UPLO instance (not a third‑party or unfamiliar host); (4) treat the API key as highly sensitive — limit its scope and rotate it if used for testing; (5) consider running the skill in a sandboxed environment or with restricted network access first; and (6) resolve the metadata mismatch (registry claims no required credentials while skill.json requires them) with the publisher before granting production access. If you cannot validate the package and endpoint, do not provide your organizational API key.Like a lobster shell, security has layers — review code before you run it.
latestvk971e9m14vqmffghqppvhzkj0s839vc5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.