4demit Security Report — Trusted | ClawSafe

10 /100

4demit

4dem.It integration. Manage data, records, and automate workflows via Membrane CLI.

A clean, documentation-only skill for integrating with 4dem.It via the Membrane CLI. No scripts, no binary files, no hidden functionality, and all shell/network operations are explicitly declared and necessary for the stated purpose.

Skill Name4demit

Duration24.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 1 items

Severity	Finding	Location
Low	Incomplete skill description SKILL.md states 'I don't have enough information about this app' — the description field is essentially empty, making it difficult to understand the full scope of the skill without reading the full document. `I don't have enough information about this app to accurately describe it.` → Add a meaningful description covering what 4dem.It does (appears to be a CRM ticketing system) and the primary use cases for the skill.	`SKILL.md:12`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:36 — npm install -g writes to filesystem; no other file access needed
Network	`READ`	`READ`	✓ Aligned	SKILL.md:42-90 — All network calls go through membrane CLI; external URLs (membr…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:36-90 — Shell commands (npm install, membrane login/connect/run) are ex…
Environment	`NONE`	`NONE`	—	No environment variable access detected; credentials managed by Membrane server-…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	Browser used only for OAuth login flow via membrane CLI, which is standard and d…
Database	`NONE`	`NONE`	—	No direct database access; interacts only with 4dem.It via Membrane proxy

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://www.4dem.it/en/api-documentation/

SKILL.md:19

File Tree

1 files · 4.2 KB · 123 lines

Markdown 1f · 123L

└─ 📝 SKILL.md Markdown 123L · 4.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	Pinned version recommended (e.g., @membranehq/[email protected]) to prevent supply chain surprises

Security Positives

✓ No scripts or binary files present — only documentation

✓ All shell commands are explicitly declared in SKILL.md

✓ Credentials are managed server-side by Membrane; no local secret storage

✓ No credential harvesting from environment variables or sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads, eval calls, or obfuscated code

✓ No remote script execution (curl|bash, wget|sh) detected

✓ No access to sensitive filesystem paths

✓ External URLs point to legitimate domains (membranehq.com, 4dem.it)

✓ npm install uses a named package with no wildcards — auditable dependency

✓ No hidden functionality or doc-to-code mismatch observed

✓ The skill follows the principle of least privilege — Membrane handles auth so the skill never sees raw tokens

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives