Scan Report
10 /100
lyanthe
Lyanthe integration for managing data, records, and workflow automation via the Membrane CLI
This skill is a straightforward Membrane CLI wrapper for interacting with Lyanthe. It contains only documentation in SKILL.md with no hidden scripts, credential harvesting, or undeclared behavior.
Safe to install
No action needed. The skill is a well-documented Membrane CLI integration. Consider pinning the npm package version in production deployments.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md uses bash code blocks (npm install, membrane login, membrane connect, m… |
| Filesystem | NONE | NONE | — | No file operations declared or performed |
| Network | NONE | NONE | — | Network access is fully delegated to the Membrane CLI (membrane request), no raw… |
| Environment | NONE | NONE | — | No environment variable access declared or performed |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | Browser opens for OAuth login only; authentication is external and user-mediated |
| Database | NONE | NONE | — | No direct database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://lyanthe.com/docs SKILL.md:19 File Tree
1 files · 4.2 KB · 124 lines Markdown 1f · 124L
└─
SKILL.md
Markdown
Security Positives
✓ All capabilities (shell access) are explicitly declared through bash code blocks in SKILL.md
✓ Credentials are managed by Membrane CLI with no local secret storage — explicitly documented as a best practice
✓ No credential harvesting or environment variable scanning observed
✓ No obfuscated code, base64 payloads, or suspicious string patterns
✓ No sensitive file access (.ssh, .aws, .env paths not referenced)
✓ No download-and-execute patterns (curl|bash, wget|sh) — npm install is a standard package manager operation
✓ No data exfiltration or C2 communication indicators
✓ The skill delegates all network I/O to the Membrane CLI which handles auth transparently server-side
✓ Source repository (github.com/membranedev/application-skills) is publicly verifiable