📦 Uplo Banking — 实用工具
v1.0.0和 loan processing documentation 使用 structured extraction.
0· 213·0 当前·0 累计
by @roojenkins 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (banking KYC/AML knowledge access) matches its behavior, but there are inconsistent metadata and a few moderate risks (sensitive API key access, runtime npm execution, and tools that can export full org data) that you should validate before installing.
评估建议
Before installing or enabling this skill: (1) Verify the source and homepage — skill.json cites UPLO but registry metadata lacks a homepage; ask the publisher for a canonical source. (2) Confirm the required config: agentdocs_url and api_key are needed (contradiction with registry metadata). Only provide an API key that is scoped to the minimum necessary permissions, ideally read-only and time-limited, and ensure audit logs are enabled. (3) Review the npm package @agentdocs1/mcp-server (author, ...详细分析 ▾
ℹ 用途与能力
The skill is clearly a UPLO/UPLO-like connector for banking knowledge (KYC/AML, regulatory records). That purpose legitimately requires an instance URL and an API key to talk to the UPLO MCP server — which appear in skill.json and README. However the registry metadata provided earlier claimed no required env/config/credentials; that is inconsistent with the included skill.json and README. Confirm which metadata is authoritative before trusting the skill.
ℹ 指令范围
SKILL.md instructs the agent to call mcporter commands (e.g., search_knowledge, search_with_context, export_org_context, log_conversation). Those commands are coherent with the stated purpose. Two operational notes: (1) SKILL.md assumes a local MCP/mcporter tool is available but the registry metadata did not declare required binaries — clarify this dependency; (2) the skill exposes actions that can export full organizational context and log conversations back to the MCP, which is expected for this connector but carries high sensitivity for KYC/SAR data and should be limited and audited.
⚠ 安装机制
There is no explicit install spec in the registry, which reduces disk-write risk, but skill.json includes an MCP launch command using 'npx -y @agentdocs1/mcp-server --http'. That means when the agent runs, it may fetch and execute an npm package at runtime. Downloading and executing code from npm is a moderate-risk install mechanism — verify the package name and publisher, prefer pinned versions, and review the package source before allowing execution.
ℹ 凭证需求
The skill requires a UPLO instance URL and an API key (skill.json config), which are proportionate to a knowledge-base connector. However, the API key grants access to extremely sensitive banking data (KYC, SARs, examinations). Ensure the provided API key is scoped to least privilege, time-limited if possible, and audited. Also resolve the discrepancy where registry metadata lists no required credentials.
✓ 持久化与权限
The skill does not request always:true or other elevated persistent privileges, and there is no indication it modifies other skills or system-wide settings. Normal autonomous invocation is allowed (platform default).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install uplo-banking
镜像加速npx clawhub@latest install uplo-banking --registry https://cn.longxiaskill.com