Uplo Environmental

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent environmental knowledge-management purpose, but it connects an external MCP package to an API key and exposes broad organizational export plus knowledge-base change actions without enough scoping or approval guidance.

Review before installing. Use a dedicated least-privileged UPLO token, confirm the npm package and UPLO server URL are trusted, restrict access to the intended environmental pack, and require explicit approval before exporting organizational context or writing knowledge-base updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This markdown file includes an `API_KEY` environment variable in the setup instructions, which involves handling sensitive credentials. The surrounding documentation provides no warning about protecting the key, avoiding committing it to config files, or treating it as secret material, so users may copy it into insecure locations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The listed tool `export_org_context` suggests bulk export of organizational context, which could affect privacy or system/data integrity if used carelessly. The README does not include any user-facing warning about the sensitivity of exported data, access controls, or the need to verify authorization before use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal