Uplo Logistics

Security checks across malware telemetry and agentic risk

Overview

The available evidence does not show hidden, destructive, or deceptive behavior, though the scanner-reported export and logging guidance should be handled carefully.

Before installing, confirm that exports are sent only to authorized recipients and that conversation logging is optional, approved, and excludes sensitive customer, shipment, pricing, customs, credential, or confidential business data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly recommends exporting organizational context for auditors and other external parties without any caution about access control, data minimization, or approval requirements. In a logistics environment, org context can reveal trade-lane ownership, reporting chains, warehouse assignments, and other sensitive operational details that could be over-shared to third parties or exposed beyond need-to-know.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill encourages use of log_conversation without warning that the resulting history may capture sensitive logistics, pricing, shipment, customs, or commercial information. Persistent logging increases the risk of unintended retention, wider internal access, later disclosure, or use of regulated/sensitive business data in contexts that were not originally intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal