ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uplo Legal

v1.0.0

AI-powered legal knowledge management. Search contracts, compliance requirements, legal cases, and policy documents with structured extraction.

0· 180·0 current·0 all-time
by@roojenkins
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (legal knowledge management) matches the toolset and commands (search_knowledge, search_with_context, export_org_context, get_directives). HOWEVER the registry metadata supplied to the scanner lists no required env vars or credentials while skill.json declares two required config items (agentdocs_url and api_key). That mismatch is unexpected and should be resolved — the API key and instance URL are plausible and proportional for this purpose, but their omission from the published metadata is an incoherence.
Instruction Scope
SKILL.md instructs the agent to call mcporter commands to fetch identity context, run searches, export full org context, and log conversations. All of these fall inside a legal-knowledge connector's responsibilities. Still, export_org_context and log_conversation can yield large or sensitive data — the instructions do not place explicit limits on exports or logging destinations. The SKILL.md also assumes an MCP endpoint configured via mcporter; it does not show safeguards for preventing unintended export of confidential data.
!
Install Mechanism
There is no separate install spec in the registry, but skill.json's mcp block runs 'npx -y @agentdocs1/mcp-server --http' at runtime. That means the agent will fetch and execute an npm package via npx when the MCP is launched. Downloading and running code from npm is a moderate risk (traceable but not pre-reviewed). The package name and origin should be verified; the skill does not embed a reproducible release or pinned checksum.
Credentials
skill.json requires agentdocs_url and api_key (an MCP token) which are appropriate for connecting to an UPLO instance. That is proportionate to the stated purpose. But the public registry metadata omitted these requirements; SKILL.md does not declare or show how secrets are managed. API keys grant access to organizational data and must be scoped/rotated — the skill provides no guidance on least privilege or token scopes.
Persistence & Privilege
The skill is not always: true and does not request system-wide changes. Autonomous invocation is allowed (platform default) but not combined with an 'always' flag or other elevated privileges. There is no evidence it modifies other skills' configs.
What to consider before installing
Before installing: (1) Confirm the required configuration (agentdocs_url and api_key) with the skill publisher — the registry listing incorrectly showed no required creds. (2) Verify the destination for the API key is a trusted UPLO instance and limit its scope/ttl. (3) Inspect or vendor-check the npm package @agentdocs1/mcp-server (it will be fetched via npx at runtime); prefer a pinned version/checksum or an audited distribution. (4) Consider restricting use of 'export_org_context' and 'log_conversation' to trusted, audited sessions (these can export sensitive data). (5) Test the skill in a sandboxed environment with non-production credentials first, and ask the publisher to add explicit export safeguards and to correct the published metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk979t0b3smwww8vh43sq40ckfx834tw2
180downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@roojenkins
latest
Download

UPLO Legal — Contract & Compliance Intelligence

You have access to organizational knowledge through UPLO, focused on legal domain expertise.

Session Start

When you begin a new session, fetch your organizational context:

mcporter call uplo-legal.get_identity_context

When to Use

  • Questions about legal policies, procedures, or processes
  • Looking up domain-specific knowledge and documentation
  • Finding subject matter experts
  • Verifying facts against the knowledge base

Key Tools

Search knowledge:

mcporter call uplo-legal.search_knowledge query="your question here"

Search with full context (GraphRAG):

mcporter call uplo-legal.search_with_context query="complex question with org context"

Export org context:

mcporter call uplo-legal.export_org_context

Get directives:

mcporter call uplo-legal.get_directives

Session End

Log the conversation:

mcporter call uplo-legal.log_conversation summary="Brief summary" topics='["topic1"]' tools_used='["search_knowledge"]'

Important

  • Always cite sources when sharing UPLO information
  • Respect classification levels
  • If UPLO doesn't have the answer, say so rather than guessing

Comments

Loading comments...