ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uplo Compliance

v1.0.0

AI-powered compliance intelligence spanning legal, financial, and government regulatory requirements. Unified search across compliance obligations, audit fin...

0· 218·0 current·0 all-time
by@roojenkins

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for roojenkins/uplo-compliance.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Uplo Compliance" (roojenkins/uplo-compliance) from ClawHub.
Skill page: https://clawhub.ai/roojenkins/uplo-compliance
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install uplo-compliance

ClawHub CLI

Package manager switcher

npx clawhub@latest install uplo-compliance
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, README, SKILL.md, and identity-patch are consistent: this is a connector/knowledge-search skill for an UPLO/AgentDocs compliance instance. The declared MCP capabilities (search_with_context, get_directives, export_org_context, etc.) match the stated compliance use cases.
Instruction Scope
SKILL.md instructs the agent to call internal MCP tools (get_identity_context, get_directives, search_with_context, export_org_context, propose_update, etc.). Those calls relate directly to compliance tasks and do not direct the agent to read arbitrary host files or unrelated credentials. However, the workflow expects access to organizational knowledge (export_org_context) and to respect classification tiers — so the skill will surface potentially sensitive internal data to the configured UPLO instance.
Install Mechanism
There is no formal install spec in the registry manifest (instruction-only), but skill.json / README instruct running an npm package via npx (@agentdocs1/mcp-server). That implies runtime downloading and executing code from the npm registry (moderate risk). The package source is specified (npm package name), not an arbitrary URL or IP, which is safer than a raw download but still a runtime code fetch worth auditing.
!
Credentials
Top-level registry metadata lists no required env vars/credentials, but skill.json config requires agentdocs_url and api_key (secret). README also references AGENTDOCS_URL and API_KEY and DEFAULT_PACKS. Requesting an API key and endpoint is proportionate to the skill's purpose (it must talk to a UPLO/AgentDocs instance), but the manifest-metadata omission is an important inconsistency: the skill will need secrets despite the registry claiming none. This mismatch could mislead installers.
Persistence & Privilege
always is false and model invocation is permitted (normal). The skill does not claim to modify other skills or system-wide config. The main persistence/privilege consideration is that running the MCP server via npx will create a runtime process that communicates with the configured endpoint — no automatic 'always' or elevated system privileges are requested in the manifest.
What to consider before installing
Key things to check before installing: - The registry metadata omitted required credentials, but skill.json and the README require agentdocs_url and api_key. Treat that as a packaging/manifest inconsistency — do not rely on the registry's 'no credentials' statement. - The skill runs an MCP server via npx (@agentdocs1/mcp-server). That will download and execute an npm package at runtime. Verify the npm package name and publisher, review its source, and only run it if you trust the publisher. - Confirm the endpoint (AGENTDOCS_URL) is your controlled/trusted UPLO instance. An untrusted endpoint + API key could expose sensitive compliance data. Use least-privilege API keys and restrict their scope and lifetime. - Understand data flows: the skill will surface organization context and potentially export audit evidence (export_org_context). Ensure this behavior aligns with your data classification and audit policies. - If you need higher assurance, request a corrected manifest that declares required credentials, and ask for the @agentdocs1/mcp-server source repository or a signed release to audit the MCP server code before running. - Consider running the connector in an isolated environment, with network and credential controls, and monitor outbound connections and logs after enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk970hnr32jsc2agpmm63fv3g7n835501
218downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@roojenkins
latest
Download

UPLO Compliance — Cross-Domain Regulatory Intelligence

Regulatory obligations do not respect department boundaries. A single product launch can trigger SEC disclosure requirements, GDPR data processing impact assessments, export control reviews, and state-level consumer protection filings simultaneously. UPLO Compliance unifies these fragmented compliance streams into one searchable knowledge layer, so your GRC team, outside counsel, and finance controllers are all working from the same ground truth.

Session Start

Begin by loading your compliance identity. This determines which regulatory domains you can access (some filings are privileged or under litigation hold) and surfaces any active enforcement deadlines or consent decree obligations.

get_identity_context

Immediately review active directives — in compliance, a missed directive can mean a missed filing deadline:

get_directives

When to Use

  • Tracing which regulatory obligations attach to a new product line before go-to-market (e.g., does the product trigger CFPB oversight or only state AG jurisdiction?)
  • Pulling the exact language from a prior consent decree to determine if a proposed business practice falls within its scope
  • Preparing audit committee materials by gathering all open findings across SOX, HIPAA, and state privacy audits in one query
  • Identifying which internal policies were updated after the last OCC examination and which remain unaddressed
  • Checking whether a vendor's data processing agreement satisfies Article 28 GDPR processor requirements documented in your policy library
  • Locating precedent from prior SEC comment letter responses when drafting a new 10-K disclosure
  • Reviewing anti-money laundering (AML) suspicious activity report thresholds across different business units

Example Workflows

Regulatory Change Impact Assessment

A new state privacy law passes (e.g., Texas Data Privacy and Security Act). The compliance team needs to assess organizational readiness.

search_with_context query="data privacy consumer opt-out requirements current policies"

Compare the existing controls against the new requirements:

search_knowledge query="CCPA CPRA opt-out mechanisms implementation documentation"

Check if leadership has issued any directives about privacy program expansion timelines:

get_directives

Propose an update to the compliance obligation register:

propose_update target_table="entries" target_id="<obligation-register-entry-id>" changes='{"data":{"new_obligation":"Texas DPSA compliance deadline 2026-07-01"}}' rationale="New state privacy law enacted; obligation register needs updated deadline tracking"

Multi-Jurisdiction Audit Preparation

External auditors are arriving for a combined SOX and data privacy audit. The compliance officer needs to assemble evidence across domains.

search_knowledge query="SOX Section 404 control testing results Q4 material weakness"

search_with_context query="data privacy audit findings remediation status open items"

Pull the organizational structure to identify control owners:

export_org_context

log_conversation summary="Assembled cross-domain audit prep materials covering SOX 404 controls and privacy audit remediation status" topics='["SOX","data-privacy","audit-prep"]' tools_used='["search_knowledge","search_with_context","export_org_context"]'

Key Tools for Compliance

search_with_context — Compliance questions almost always require organizational context. "Who is responsible for this control?" or "Which department owns this filing obligation?" are answered by the graph traversal that enriches search results with entity relationships. Example: search_with_context query="OFAC sanctions screening procedures responsible department"

get_directives — The compliance team lives and dies by directives. Board resolutions, consent decrees, enforcement actions, and filing deadlines all surface here. Check at session start and before giving any compliance guidance.

search_knowledge — Targeted retrieval for known compliance artifacts: specific policy versions, audit finding numbers, regulatory filing drafts. Example: search_knowledge query="Form ADV Part 2A brochure latest annual update"

flag_outdated — Compliance documents have expiration dates. When you encounter a policy referencing a superseded regulation (e.g., a document still citing the EU-US Privacy Shield instead of the Data Privacy Framework), flag it immediately. Stale compliance documentation is a material risk.

propose_update — When you identify a gap between a regulatory requirement and the documented control, propose the fix. This enters the compliance review workflow with full audit trail.

Tips

  • Compliance queries often involve specific regulatory citations. Use precise references like "17 CFR 240.10b-5" or "GDPR Article 35" rather than paraphrasing — the extraction engine indexes these identifiers.
  • Always check your clearance level at session start. Privileged legal communications, ongoing investigation materials, and draft regulatory responses are typically restricted and may not appear in results if your clearance is insufficient.
  • When assembling audit evidence, use export_org_context to get the organizational snapshot that auditors will use as their map. Discrepancies between this snapshot and what auditors find on the ground create findings.
  • Cross-domain compliance questions (e.g., "Does our AML program satisfy both FinCEN and EU 6AMLD requirements?") work best with search_with_context because the graph traversal connects financial regulation entries with legal analysis entries that may not share keywords.

Comments

Loading comments...