中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
whatsable
WhatsAble integration for managing WhatsApp data, records, and workflow automation
WhatsAble integration skill using Membrane CLI for WhatsApp data management; well-documented behavior with no malicious indicators, though npm package installation lacks version pinning.
技能名称whatsable
分析耗时21.1s
引擎pi
可以安装
Consider pinning the CLI version (e.g., `@membranehq/[email protected]`) to reduce supply chain risk. Otherwise, the skill is safe for use.

安全发现 1 项

严重性 安全发现 位置
低危
CLI package installed without version pinning 供应链
The skill installs @membranehq/cli using 'latest' tag, which could fetch different versions over time. A malicious version could be pushed to the registry.
npm install -g @membranehq/cli
→ Pin to a specific version: npm install -g @membranehq/[email protected]
 SKILL.md:24
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All network access goes through documented Membrane proxy for WhatsAble API comm…
命令执行 WRITE WRITE ✓ 一致 Shell access declared for npm install and membrane CLI commands; all usage docum…
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://www.whatsable.com/docs
SKILL.md:19

目录结构

1 文件 · 4.3 KB · 129 行
Markdown 1f · 129L
└─ 📝 SKILL.md Markdown 129L · 4.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli latest npm Version not pinned - uses latest tag

安全亮点

✓ All functionality declared and documented in SKILL.md with no hidden behavior
✓ Credential management handled server-side by Membrane with no local secret storage
✓ No credential harvesting or sensitive data access patterns detected
✓ No obfuscation techniques (base64, eval) or suspicious code patterns
✓ Uses legitimate CLI toolchain for documented integration purpose
✓ Best practices documented for preferring pre-built actions over raw API calls