ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uplo Logistics

v1.0.0

AI-powered logistics knowledge management. Search shipment records, warehouse procedures, fleet data, and customs documentation with structured extraction.

0· 136·0 current·0 all-time
by@roojenkins

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for roojenkins/uplo-logistics.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Uplo Logistics" (roojenkins/uplo-logistics) from ClawHub.
Skill page: https://clawhub.ai/roojenkins/uplo-logistics
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install uplo-logistics

ClawHub CLI

Package manager switcher

npx clawhub@latest install uplo-logistics
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to provide logistics knowledge access and the included files (README.md, SKILL.md, skill.json) all describe connecting to an UPLO MCP server using an instance URL and API key—this is consistent with the stated purpose. However, the registry metadata at the top of the report said 'Required env vars: none' and 'Primary credential: none' while skill.json declares required config entries (agentdocs_url and api_key). That metadata mismatch is an incoherence that should be clarified.
Instruction Scope
SKILL.md directs the agent to query UPLO tools (search_knowledge, search_with_context, export_org_context, get_directives, etc.) and to always 'pull current logistics context' at session start. Those instructions stay within the skill's stated domain (no local file/secret harvesting or arbitrary external endpoints are instructed). However, some commands (export_org_context, search_knowledge) can surface large amounts of sensitive org data (shipments, contracts, HTS codes, PII). The skill instructs broad context pulls by default, which increases data-access scope even if technically consistent with the purpose.
!
Install Mechanism
There is no formal install spec in the registry, but skill.json (and README) expect to run an MCP server via npx: '@agentdocs1/mcp-server --http'. That means at runtime the agent/system will fetch and execute a package from the npm ecosystem. This is moderate-to-high risk because code is fetched and executed dynamically, the package is not version-pinned in the examples (no specific semver/sha), and the package origin and contents are unverified in the bundle. If you install/run this, verify the npm package, prefer pinned/verified releases, and audit the package source.
Credentials
The only sensitive configuration the skill requires (per skill.json) is an UPLO instance URL and an API key, which are proportionate for a connector to an external knowledge service. That said, the top-level registry metadata incorrectly reported no required env/config — this discrepancy should be resolved. Also consider granting the API key least privilege and confirm what operations the MCP token allows (read-only vs. export/export_org_context).
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-wide config paths. The skill's behavior is to run an MCP server process and call MCP tools; this is expected for a connector and does not, on its face, request elevated platform privileges. Still note that running the MCP server will open a local HTTP transport and may persist/manage conversation logs depending on the MCP implementation—verify that behavior before deploying in production.
What to consider before installing
Before installing or enabling this skill: - Resolve the metadata mismatch: ask the publisher why the registry lists no required credentials while skill.json requires agentdocs_url and api_key. - Treat the API key as sensitive: use a token with least privilege and rotate it if you later revoke access. Confirm whether the token can export data and whether export_org_context will produce full org dumps. - Audit the runtime package: confirm the npm package '@agentdocs1/mcp-server' exists, review its source and recent releases, and prefer a pinned version (and ideally a checksum) rather than allowing npx to fetch the latest implicitly. - Consider running the MCP server in an isolated environment (test / staging) first so you can monitor network requests and filesystem activity. - Ask the vendor for documentation describing exactly what data flows out of the MCP server and what 'export_org_context' and 'log_conversation' do (where data is stored/transmitted). - If you need stricter guarantees, request a signed release or host the server yourself rather than relying on npx at runtime. These steps will reduce the risk from dynamic package execution and large-scale data access prompted by the skill's default instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9fd954gz2ebdx9kwqafwq98384p0
136downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@roojenkins
latest
Download

UPLO Logistics

Your supply chain has thousands of moving parts — literally. This skill connects your AI assistant to UPLO's structured knowledge base covering freight operations, warehouse management, fleet maintenance, customs compliance, and carrier performance data. Stop digging through spreadsheets and email chains to find that one bill of lading.

Session Start

Begin every session by pulling your current logistics context. This surfaces active shipments, pending customs clearances, warehouse capacity alerts, and any flagged carrier performance issues so you can orient before diving into specifics.

use_mcp_tool: get_identity_context
use_mcp_tool: search_knowledge query="active shipments and logistics alerts this week"

When to Use

  • Tracking down the customs classification (HTS code) used for a specific product line last quarter
  • Finding which 3PL warehouse has capacity for overflow inventory during peak season
  • Pulling carrier on-time delivery rates to support a contract renegotiation
  • Locating the standard operating procedure for hazmat freight handling at your distribution centers
  • Checking what incoterms were agreed upon in the latest forwarding contract with your European partners
  • Reviewing dwell time metrics at port of entry to identify bottlenecks
  • Answering "what was our landed cost per unit for SKU X shipped from Shenzhen last month?"

Example Workflows

Carrier Performance Review

You need to prepare for a quarterly business review with your top LTL carrier.

use_mcp_tool: search_knowledge query="carrier performance metrics FedEx Freight Q4 on-time delivery damage claims"
use_mcp_tool: search_with_context query="FedEx Freight contract terms service level agreements penalty clauses"
use_mcp_tool: get_directives

Review the extracted KPIs against contracted SLAs. The directives will tell you whether leadership is pushing to consolidate carriers or diversify, which shapes your negotiation stance.

Customs Compliance Audit Prep

CBP has requested documentation for a focused assessment on your import program.

use_mcp_tool: search_knowledge query="customs entry summaries HTS classifications country of origin determinations"
use_mcp_tool: search_knowledge query="broker of record powers of attorney customs bonds"
use_mcp_tool: export_org_context

Cross-reference the extracted entry data against your C-TPAT compliance program documentation. The org context export gives auditors a clear picture of your trade compliance organizational structure.

Key Tools for Logistics

search_knowledge — The workhorse. Query against shipment records, BOLs, warehouse SOPs, and fleet data all at once. Example: "warehouse receiving procedures for refrigerated goods building 7"

search_with_context — When you need the full picture around a specific topic, like understanding how a routing guide decision connects to carrier contracts and volume commitments. Example: "routing guide primary carrier assignments for westbound intermodal lanes"

export_org_context — Generates a structured view of your logistics organization: who owns which trade lanes, warehouse assignments, and reporting chains. Invaluable for onboarding new freight brokers or 3PL partners.

get_directives — Surfaces leadership priorities like "reduce ocean freight spend 12% by shifting to contract rates" or "achieve 98.5% OTIF by Q3." Keeps your operational decisions aligned with strategic goals.

flag_outdated — Mark stale rate sheets, expired carrier contracts, or superseded warehouse procedures so they don't pollute search results. Example: flag a 2024 tariff schedule that's been replaced.

Tips

  • Search using industry-standard document names: "bill of lading," "commercial invoice," "packing list," "certificate of origin" — the extraction engine recognizes these as distinct document types and returns more precise results.
  • When researching landed cost, combine searches across freight invoices, customs duty records, and warehouse handling charges rather than expecting a single document to have the full picture.
  • Use log_conversation after resolving a routing or carrier issue — it builds a searchable history that helps when the same lane problem resurfaces next peak season.
  • Warehouse SOPs change frequently. If you find conflicting procedures, use flag_outdated on the older version and report_knowledge_gap if neither version covers the scenario you need.

Comments

Loading comments...