中文 EN

扫描报告

扫描新文件

可信 — 风险评分 10/100
上次扫描:2 天前 重新扫描
10 /100
4demit
4dem.It integration. Manage data, records, and automate workflows via Membrane CLI.
A clean, documentation-only skill for integrating with 4dem.It via the Membrane CLI. No scripts, no binary files, no hidden functionality, and all shell/network operations are explicitly declared and necessary for the stated purpose.
技能名称4demit
分析耗时24.1s
引擎pi
可以安装
No action needed. The skill is safe to use.

安全发现 1 项

严重性 安全发现 位置
低危
Incomplete skill description
SKILL.md states 'I don't have enough information about this app' — the description field is essentially empty, making it difficult to understand the full scope of the skill without reading the full document.
I don't have enough information about this app to accurately describe it.
→ Add a meaningful description covering what 4dem.It does (appears to be a CRM ticketing system) and the primary use cases for the skill.
 SKILL.md:12
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:36 — npm install -g writes to filesystem; no other file access needed
网络访问 READ READ ✓ 一致 SKILL.md:42-90 — All network calls go through membrane CLI; external URLs (membr…
命令执行 WRITE WRITE ✓ 一致 SKILL.md:36-90 — Shell commands (npm install, membrane login/connect/run) are ex…
环境变量 NONE NONE No environment variable access detected; credentials managed by Membrane server-…
技能调用 NONE NONE No cross-skill invocation observed
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE Browser used only for OAuth login flow via membrane CLI, which is standard and d…
数据库 NONE NONE No direct database access; interacts only with 4dem.It via Membrane proxy
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://www.4dem.it/en/api-documentation/
SKILL.md:19

目录结构

1 文件 · 4.2 KB · 123 行
Markdown 1f · 123L
└─ 📝 SKILL.md Markdown 123L · 4.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli latest npm Pinned version recommended (e.g., @membranehq/[email protected]) to prevent supply chain surprises

安全亮点

✓ No scripts or binary files present — only documentation
✓ All shell commands are explicitly declared in SKILL.md
✓ Credentials are managed server-side by Membrane; no local secret storage
✓ No credential harvesting from environment variables or sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded payloads, eval calls, or obfuscated code
✓ No remote script execution (curl|bash, wget|sh) detected
✓ No access to sensitive filesystem paths
✓ External URLs point to legitimate domains (membranehq.com, 4dem.it)
✓ npm install uses a named package with no wildcards — auditable dependency
✓ No hidden functionality or doc-to-code mismatch observed
✓ The skill follows the principle of least privilege — Membrane handles auth so the skill never sees raw tokens