ClawHub

Uplo Knowledge Management

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate UPLO knowledge-management connector, but it can expose broad organizational context and affect knowledge records without enough built-in scoping guidance.

Install only if you trust the UPLO service and the external MCP package, and use a scoped UPLO token. Prefer targeted searches over full organizational exports, require explicit confirmation before exports or gap/flag/update actions, and verify that classification tiers, audit logging, and review or rollback workflows are enforced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises an `export_org_context` capability that can produce a full organizational context snapshot, but it provides no warning about data sensitivity, access controls, or privacy implications. In a knowledge-management skill that aggregates taxonomies, expertise directories, directives, and other internal records, normalizing bulk export as a feature without safeguards can encourage overbroad access and accidental exposure of confidential organizational intelligence.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'When to Use' section is broad enough that the skill could be invoked for generic organizational or executive-information requests without clearly constraining scope, authorization, or data-minimization expectations. In a knowledge-management context, that increases the chance the agent will surface sensitive operational, personnel, governance, or retention information to users whose need-to-know is not explicit.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly promotes using export_org_context for a 'full organizational context export' and frames it as highly valuable, but it does not warn about the sensitivity, breadth, or access-control implications of exporting organization-wide knowledge state. In this context, such an export could aggregate expertise maps, gaps, governance documents, and internal structure into a high-value dataset that amplifies overexposure and exfiltration risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal