📦 Uplo Media — 媒体知识管理
v1.0.0AI驱动的媒体知识管理平台,可一键检索内容制作记录、版权协议、分发数据与受众分析,结构化扩展元数据,助力团队高效复用资产、洞察趋势、优化内容策略。
0· 127·0 当前·0 累计
by 下载技能包
最后更新
2026/3/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (media rights/production knowledge queries) but there are several things to verify before installing: 1) Confirm the skill's source and publisher—there's no homepage or authoritative source listed in the registry; verify 'UPLO' identity and the npm package '@agentdocs1/mcp-server' are legitimate. 2) Prefer using a scoped, least-privilege API key for your UPLO/MCP instance and confirm acceptable data access/retention policies (who can read exported org contex...详细分析 ▾
✓ 用途与能力
Name, README, SKILL.md, and identity-patch all describe a media knowledge-management integration and the listed MCP tools (search_knowledge, search_with_context, get_directives, export_org_context, etc.) are coherent with that purpose. The skill requests access to an UPLO/MCP endpoint and API key in skill.json, which is appropriate for a connector to a hosted knowledge service.
ℹ 指令范围
Runtime instructions in SKILL.md are narrowly scoped to querying the organization's knowledge base and related directives (search_* calls, get_directives, log_conversation, propose_update, report_knowledge_gap). These actions align with the stated purpose but do involve reading and logging potentially sensitive org data (rights, contracts, talent compensation). The guidance to 'log_conversation' and 'export_org_context' are useful but increase the sensitivity of data that may be captured; the skill does not provide details about retention, export destinations, or access controls.
⚠ 安装机制
The skill has no formal install spec in the package registry summary, but skill.json / README instructs running an MCP server via 'npx -y @agentdocs1/mcp-server --http'. That means the agent will fetch and execute an npm package at runtime. Fetching and running a remote npm package is a moderate-to-high risk behavior unless the package and publisher are verified. There is no published homepage or authoritative source in the registry metadata to validate the package.
ℹ 凭证需求
skill.json declares two required config values: agentdocs_url (your UPLO instance URL) and api_key (MCP token). Those credentials are proportional to the skill's functionality. However the registry metadata earlier stated 'no required env vars'—an inconsistency. Also, the skill's workflows (export_org_context, log_conversation) imply access to broad organizational data; ensure the API key can be scoped minimally and that organization policies permit this access.
ℹ 持久化与权限
The skill is not forced-always (always:false) and is user-invocable (normal). It does declare an MCP server command that the agent may run to provide tools — this creates a local HTTP transport and effectively runs external code at runtime, but it does not request permanent platform-wide privileges or config changes. Autonomous invocation plus the provided API key would let the skill access org data when invoked; treat the API key as sensitive.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/20
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install uplo-media
镜像加速npx clawhub@latest install uplo-media --registry https://cn.longxiaskill.com