paygreen 安全扫描报告 — 低风险 | ClawSafe

15 /100

paygreen

PayGreen integration for payment processing with Membrane CLI

PayGreen integration skill using Membrane CLI with transparent documentation; no hidden malicious behavior detected.

技能名称paygreen

分析耗时26.7s

引擎pi

✓

可以安装

Skill appears safe. Consider pinning the CLI version in production for reproducibility.

安全发现 1 项

严重性	安全发现	位置
低危	CLI package version not pinned The skill instructs users to install @membranehq/cli without a version pin or @latest tag, which could lead to unexpected updates. This is a minor reproducibility concern, not a security issue. `npm install -g @membranehq/cli` → Consider pinning to a specific version or using @latest for latest stable release	`SKILL.md:25`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations found; SKILL.md is documentation only
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:1 - External URLs (getmembrane.com, developers.paygreen.fr) and API pro…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:25 - npm install -g @membranehq/cli is explicitly documented
浏览器	`READ`	`READ`	✓ 一致	SKILL.md:31 - Browser-based OAuth authentication flow is documented

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.paygreen.fr/

SKILL.md:19

1 文件 · 4.2 KB · 121 行

Markdown 1f · 121L

└─ 📝 SKILL.md Markdown 121L · 4.2 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`unpinned`	npm	否	No version specified; installs whatever is latest in registry

✓ All network access is declared in documentation

✓ Credential handling is explicitly managed by Membrane (no local secrets stored)

✓ No hidden subprocess execution or eval patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64 encoded payloads or obfuscated code

✓ No credential harvesting or data exfiltration

✓ OAuth flow uses standard browser-based authentication

✓ Skill is open source with clear MIT license