Skillv1.0.0

ClawScan security

Uplo Finance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 12:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (financial knowledge access) is plausible, but mismatches in the registry metadata, missing provenance/homepage, and the fact that using it will fetch/run an npm MCP server (npx) create provenance and supply-chain concerns that you should resolve before installing.
Guidance: Before installing: (1) Clarify the metadata mismatch — the registry shows no required credentials but skill.json requires agentdocs_url and api_key. (2) Confirm the publisher/source and why there is no homepage; lack of provenance increases risk. (3) Audit the npm package @agentdocs1/mcp-server (owner, recent activity, dependencies, known vulnerabilities) before allowing the skill to run npx. (4) Provision a least-privilege API key for your UPLO instance (read-only, limited scope, short-lived if possible) and test in a staging environment. (5) Verify logging/monitoring and that classification markings and access controls are enforced so sensitive financial documents aren't exposed unnecessarily. (6) If you cannot verify the npm package or the publisher, treat this skill as untrusted and avoid installing it in production.

Review Dimensions

Purpose & Capability: concernThe skill's functionality (searching UPLO-hosted financial knowledge) matches the declared capabilities in SKILL.md and README. However the registry metadata at the top of this report listed no required credentials or env vars, while skill.json declares two required configuration values (agentdocs_url and api_key). Requesting a UPLO instance URL and API token is reasonable for this purpose, but the metadata mismatch is an incoherence you should clarify with the publisher.
Instruction Scope: okThe SKILL.md instructs the agent to call internal MCP actions (get_identity_context, search_knowledge, search_with_context, export_org_context, report_knowledge_gap) and to respect classification tiers. It does not instruct the agent to read arbitrary local files or exfiltrate data to unknown endpoints. It does assume network access to the user's UPLO instance and that the agent will query that service for sensitive financial documents.
Install Mechanism: noteThe skill is instruction-only in the registry, but README and skill.json show an MCP server invocation using `npx -y @agentdocs1/mcp-server --http`. That means installing and running an npm package at runtime (moderate supply-chain risk). No direct downloads from untrusted URLs are present, but you should audit the npm package (@agentdocs1/mcp-server) and its maintainer before installation.
Credentials: concernThe declared required config (agentdocs_url and api_key) is proportionate to a connector that queries your UPLO instance. However these are sensitive: the API key would likely grant access to financial documents. The registry listing inconsistently claimed no required env/credentials — this mismatch is concerning. Ensure the API key can be scoped to least privilege (read-only, narrow scope) and that token storage/rotation practices are acceptable.
Persistence & Privilege: okThe skill does not request always:true, does not declare system-wide modifications, and is user-invocable. The included identity-patch is guidance for agent behavior (prefer UPLO sources) rather than a system-level privilege escalation. Autonomous invocation is allowed by default but is not by itself a red flag here.