Scan Report
15 /100
whatsable
WhatsAble integration for managing WhatsApp data, records, and workflow automation
WhatsAble integration skill using Membrane CLI for WhatsApp data management; well-documented behavior with no malicious indicators, though npm package installation lacks version pinning.
Safe to install
Consider pinning the CLI version (e.g., `@membranehq/[email protected]`) to reduce supply chain risk. Otherwise, the skill is safe for use.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | CLI package installed without version pinning Supply Chain | SKILL.md:24 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | All network access goes through documented Membrane proxy for WhatsAble API comm… |
| Shell | WRITE | WRITE | ✓ Aligned | Shell access declared for npm install and membrane CLI commands; all usage docum… |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://www.whatsable.com/docs SKILL.md:19 File Tree
1 files · 4.3 KB · 129 lines Markdown 1f · 129L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version not pinned - uses latest tag |
Security Positives
✓ All functionality declared and documented in SKILL.md with no hidden behavior
✓ Credential management handled server-side by Membrane with no local secret storage
✓ No credential harvesting or sensitive data access patterns detected
✓ No obfuscation techniques (base64, eval) or suspicious code patterns
✓ Uses legitimate CLI toolchain for documented integration purpose
✓ Best practices documented for preferring pre-built actions over raw API calls