扫描报告
20 /100
search-api
Search API integration for managing Deals, Persons, Organizations, Leads, Projects, and Pipelines
Documentation-only skill that integrates with Membrane CLI for Search API; all capabilities are properly declared with no hidden functionality detected.
可以安装
No immediate action required. The skill uses standard npx patterns for CLI tool execution and declares all network/shell access. Consider pinning the Membrane CLI version in production rather than using @latest.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned CLI version with @latest | SKILL.md:25 |
| 低危 | Credentials stored in user home directory | SKILL.md:29 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md line 1: Requires network access |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md: All npx commands use bash execution |
| 文件系统 | NONE | READ | ✓ 一致 | SKILL.md: Reads ~/.membrane/credentials.json (implicit READ for credential stora… |
1 项发现
中危 外部 URL 外部 URL
https://developers.google.com/custom-search/v1/reference/rest SKILL.md:17 目录结构
1 文件 · 4.5 KB · 115 行 Markdown 1f · 115L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest | npx | 否 | Version unpinned - use @latest could fetch different code |
安全亮点
✓ Documentation-only skill with clear, readable SKILL.md
✓ All shell commands documented with expected behavior
✓ No base64-encoded payloads or obfuscated code
✓ No environment variable enumeration for credential theft
✓ No remote IP connections without declared proxy (Membrane)
✓ Network access is properly declared as required
✓ No suspicious patterns like curl|bash or wget|sh
✓ Credentials are handled by Membrane CLI (a known tool), not custom exfiltration code