📦 Uplo Legal — 智能法务管理
v1.0.0一站式 AI 法务知识库:秒级检索合同、合规条款、判例与政策,自动提取关键信息并结构化归档,让法律检索与合规审查效率倍增。
0· 194·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior generally matches a legal knowledge connector, but there are inconsistencies in the declared configuration and a runtime mechanism (npx -> npm package) plus broad export/log commands that warrant caution before installing.
评估建议
Before installing: (1) Confirm the required configuration (agentdocs_url and api_key) with the skill publisher — the registry listing incorrectly showed no required creds. (2) Verify the destination for the API key is a trusted UPLO instance and limit its scope/ttl. (3) Inspect or vendor-check the npm package @agentdocs1/mcp-server (it will be fetched via npx at runtime); prefer a pinned version/checksum or an audited distribution. (4) Consider restricting use of 'export_org_context' and 'log_co...详细分析 ▾
ℹ 用途与能力
The name/description (legal knowledge management) matches the toolset and commands (search_knowledge, search_with_context, export_org_context, get_directives). HOWEVER the registry metadata supplied to the scanner lists no required env vars or credentials while skill.json declares two required config items (agentdocs_url and api_key). That mismatch is unexpected and should be resolved — the API key and instance URL are plausible and proportional for this purpose, but their omission from the published metadata is an incoherence.
ℹ 指令范围
SKILL.md instructs the agent to call mcporter commands to fetch identity context, run searches, export full org context, and log conversations. All of these fall inside a legal-knowledge connector's responsibilities. Still, export_org_context and log_conversation can yield large or sensitive data — the instructions do not place explicit limits on exports or logging destinations. The SKILL.md also assumes an MCP endpoint configured via mcporter; it does not show safeguards for preventing unintended export of confidential data.
⚠ 安装机制
There is no separate install spec in the registry, but skill.json's mcp block runs 'npx -y @agentdocs1/mcp-server --http' at runtime. That means the agent will fetch and execute an npm package via npx when the MCP is launched. Downloading and running code from npm is a moderate risk (traceable but not pre-reviewed). The package name and origin should be verified; the skill does not embed a reproducible release or pinned checksum.
ℹ 凭证需求
skill.json requires agentdocs_url and api_key (an MCP token) which are appropriate for connecting to an UPLO instance. That is proportionate to the stated purpose. But the public registry metadata omitted these requirements; SKILL.md does not declare or show how secrets are managed. API keys grant access to organizational data and must be scoped/rotated — the skill provides no guidance on least privilege or token scopes.
✓ 持久化与权限
The skill is not always: true and does not request system-wide changes. Autonomous invocation is allowed (platform default) but not combined with an 'always' flag or other elevated privileges. There is no evidence it modifies other skills' configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/18
Initial release of uplo-legal: an AI-powered legal knowledge management skill. - Search organizational contracts, compliance, cases, and policy documents. - Extract structured legal information using dedicated commands. - Fetch organizational context and domain-specific knowledge. - Tools include knowledge search, advanced GraphRAG queries, and context export. - Guidance on session start/end, proper citation, and classification compliance.
● 无害
安装命令
点击复制官方npx clawhub@latest install uplo-legal
镜像加速npx clawhub@latest install uplo-legal --registry https://cn.longxiaskill.com镜像同步中