ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uplo Media

v1.0.0

AI-powered media knowledge management. Search content production records, licensing agreements, distribution data, and audience analytics with structured ext...

0· 118·0 current·0 all-time
by@roojenkins
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, and identity-patch all describe a media knowledge-management integration and the listed MCP tools (search_knowledge, search_with_context, get_directives, export_org_context, etc.) are coherent with that purpose. The skill requests access to an UPLO/MCP endpoint and API key in skill.json, which is appropriate for a connector to a hosted knowledge service.
Instruction Scope
Runtime instructions in SKILL.md are narrowly scoped to querying the organization's knowledge base and related directives (search_* calls, get_directives, log_conversation, propose_update, report_knowledge_gap). These actions align with the stated purpose but do involve reading and logging potentially sensitive org data (rights, contracts, talent compensation). The guidance to 'log_conversation' and 'export_org_context' are useful but increase the sensitivity of data that may be captured; the skill does not provide details about retention, export destinations, or access controls.
!
Install Mechanism
The skill has no formal install spec in the package registry summary, but skill.json / README instructs running an MCP server via 'npx -y @agentdocs1/mcp-server --http'. That means the agent will fetch and execute an npm package at runtime. Fetching and running a remote npm package is a moderate-to-high risk behavior unless the package and publisher are verified. There is no published homepage or authoritative source in the registry metadata to validate the package.
Credentials
skill.json declares two required config values: agentdocs_url (your UPLO instance URL) and api_key (MCP token). Those credentials are proportional to the skill's functionality. However the registry metadata earlier stated 'no required env vars'—an inconsistency. Also, the skill's workflows (export_org_context, log_conversation) imply access to broad organizational data; ensure the API key can be scoped minimally and that organization policies permit this access.
Persistence & Privilege
The skill is not forced-always (always:false) and is user-invocable (normal). It does declare an MCP server command that the agent may run to provide tools — this creates a local HTTP transport and effectively runs external code at runtime, but it does not request permanent platform-wide privileges or config changes. Autonomous invocation plus the provided API key would let the skill access org data when invoked; treat the API key as sensitive.
What to consider before installing
This skill appears to do what it says (media rights/production knowledge queries) but there are several things to verify before installing: 1) Confirm the skill's source and publisher—there's no homepage or authoritative source listed in the registry; verify 'UPLO' identity and the npm package '@agentdocs1/mcp-server' are legitimate. 2) Prefer using a scoped, least-privilege API key for your UPLO/MCP instance and confirm acceptable data access/retention policies (who can read exported org context and logged conversations). 3) Understand that the agent will run 'npx @agentdocs1/mcp-server' (fetching and executing code from npm at runtime); if you cannot verify the package, avoid installing or run in an isolated/staging environment. 4) Ask the publisher for an explicit privacy/data-retention statement and the exact npm package checksums or a link to a canonical release (GitHub release or company domain) to validate the runtime artifact. If you cannot validate the package/publisher or limit the API key scope, treat this skill as risky and do not install in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b47gpd9c1ea41j4wfc8eaj18383pn
118downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@roojenkins
latest
Download

UPLO Media

The media industry runs on rights, deadlines, and relationships — and the documentation behind all three is scattered across deal memos, distribution agreements, production bibles, ratings reports, and talent contracts. This skill gives your AI assistant structured access to that knowledge so you can answer questions about content rights windows, production budgets, talent availability, and audience performance without hunting through file shares.

When to Use

  • Checking whether your distribution rights for a title cover SVOD in Southeast Asia or only linear broadcast
  • Finding the talent hold dates and options for a recurring cast member before greenlighting Season 3
  • Pulling audience retention curves and completion rates for a series to inform renewal decisions
  • Locating the music licensing terms for a track used in Episode 4 before you can clear international distribution
  • Reviewing production insurance certificates and bond requirements for an upcoming shoot
  • Comparing CPMs and fill rates across ad-supported content in your portfolio
  • Answering "which titles in our library have rights expiring in the next 6 months?"

Session Start

Orient yourself by loading your identity context and checking what content priorities leadership has set — slate decisions, acquisition targets, and distribution strategy all flow from directives.

use_mcp_tool: get_identity_context
use_mcp_tool: get_directives
use_mcp_tool: search_knowledge query="content slate priorities greenlight decisions upcoming productions"

Example Workflows

Rights Availability Check for International Sales

Your distribution team received an inquiry from a European broadcaster about licensing a title.

use_mcp_tool: search_with_context query="distribution rights windows Territory Europe title 'Northern Edge' holdbacks exclusivity"
use_mcp_tool: search_knowledge query="Northern Edge existing license agreements international territories"
use_mcp_tool: search_knowledge query="Northern Edge audience performance ratings demographics international comparable"

The context search connects the title's rights chain — original production agreement, domestic distribution deal, and any existing international licenses — so you can see exactly what's available and what's encumbered.

Production Budget Reconciliation

You're closing out a production and need to reconcile actuals against the approved budget.

use_mcp_tool: search_knowledge query="Project Lighthouse production budget approved cost report actuals variance"
use_mcp_tool: search_knowledge query="Project Lighthouse vendor invoices post-production VFX sound mix"
use_mcp_tool: export_org_context

Pull the structured budget data alongside vendor payment records. The org context shows which production executives and line producers own the sign-off chain.

Key Tools for Media

search_with_context — Essential for rights management. A single title has interconnected agreements (production, domestic, international, music, talent) and you need to see how they relate. Example: "rights chain for 'After Midnight' including music sync licenses and talent residual obligations"

search_knowledge — Fast lookup across your content library metadata, production records, and audience data. Example: "audience demographics 18-49 rating performance unscripted content Q4 2025"

get_directives — Surfaces the creative and business strategy that should inform content decisions: genre priorities, budget envelopes, platform strategy, and audience targets. Critical context before recommending acquisitions or renewals.

propose_update — When deal terms change (renegotiated license fee, extended rights window, revised delivery date), propose the update so the structured record stays current. Example: update the avail date for LATAM territories after a holdback extension.

report_knowledge_gap — Flag missing documentation before it becomes a problem. No signed chain-of-title for a library title? No E&O insurance certificate for an acquisition? Report it now.

Example Queries That Work Well

Rather than generic searches, use the terminology your deals and production teams actually use:

  • "above-the-line costs pilot episode budget top sheet"
  • "SAG-AFTRA scale payments series regular options"
  • "deliverables list technical specifications OTT platform"
  • "residual payment schedule backend participation profit definition"
  • "clearance report music visual third-party IP episode 7"

Tips

  • Rights data is time-sensitive. Always check the valid_through or expiration fields in results — a rights window that expired last month will still appear in search but shouldn't inform a sales pitch.
  • Use log_conversation after any rights negotiation discussion. Media deals involve many informal agreements that eventually need to be papered, and having a searchable log prevents "I thought we agreed to..." disputes.
  • When searching for audience data, include the measurement source (Nielsen, platform analytics, Comscore) since the same title can have very different numbers depending on methodology.
  • Production documents use inconsistent naming. Search by project code name AND official title — many productions change names between development and release.

Comments

Loading comments...