Uplo Manufacturing

Security checks across malware telemetry and agentic risk

Overview

The artifacts appear coherent for a ClawHub CLI/skill workflow, with only a low-risk documentation gap around handling tokens and API keys.

Install/use this only if you are comfortable granting the CLI registry access with your ClawHub token or related API keys. Keep tokens out of source control and screenshots, prefer environment variables or a secret manager where practical, and rotate any credential that may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The README instructs users to place an API key directly in configuration without any guidance on secret handling, rotation, or avoiding accidental exposure. While common in setup docs, this can lead to credentials being committed to source control, shared in screenshots, or stored insecurely in plaintext desktop configs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal