Back to skill
Skillv1.0.0
ClawScan security
Uplo Github · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 20, 2026, 12:46 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (indexing GitHub org metadata) is coherent with requiring an UPLO instance and API key, but there are packaging inconsistencies and an undeclared runtime install/remote-service behavior that you should review before installing.
- Guidance
- Before installing or enabling: (1) confirm the required configuration (agentdocs_url and api_key) — the package metadata incorrectly listed no env vars; (2) only point the skill at an UPLO instance you control or fully trust, because repository contents, issues, PR text and CODEOWNERS will be sent there; (3) be aware the skill expects to run an MCP server via npx (@agentdocs1/mcp-server) which will download/execute code at runtime — prefer a vetted/pinned package or run it in a restricted environment; (4) limit the API key scope if possible and get organizational approval for sharing repository metadata with the configured service; (5) if you need higher assurance, ask the publisher for a signed release URL, package checksum, or an install spec that avoids implicit npx downloads.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to provide org-wide GitHub knowledge and the included skill.json/config (agentdocs_url + api_key) describes connecting to an external UPLO MCP server to perform searches — this is coherent. However, the registry metadata at the top of the submission claimed 'Required env vars: none' while skill.json requires an instance URL and API key, which is an inconsistency in the package metadata.
- Instruction Scope
- noteSKILL.md instructs only to call UPLO-related operations (get_identity_context, search_knowledge, search_with_context, etc.) and does not direct the agent to read unrelated local files or arbitrary environment variables. It does, however, imply the agent will send repository metadata, issues, PR text, and other org data to the configured UPLO instance — expected for this type of skill but a potentially sensitive data flow that should be authorised.
- Install Mechanism
- concernThe skill package itself has no install spec, yet README and skill.json indicate runtime behavior that uses npx to start an MCP server ("npx -y @agentdocs1/mcp-server --http"). That implies dynamic download/execution of an npm package at runtime (moderate risk). The package source (@agentdocs1/mcp-server) is referenced but no pinned release URL or checksum is provided. This remote install/exec behavior is not fully declared in the top-level metadata and increases risk.
- Credentials
- concernskill.json requires agentdocs_url and api_key (API token) which are proportional to the purpose (the service needs credentials to receive and index GitHub data). However the submitted registry metadata incorrectly listed 'none' for required env vars; that mismatch could mislead users. The API key has access to potentially broad organizational data on the UPLO instance, so only provide it to a trusted instance and with least privilege.
- Persistence & Privilege
- okThe skill does not request always:true, does not ask to modify other skills or system-wide config, and has normal autonomous-invocation defaults. There is no evidence it demands system-level persistence or escalated privileges.