中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
ceipal
Ceipal integration. Manage data, records, and automate workflows via the Membrane CLI.
This is a thin documentation-only skill that describes how to use the Membrane CLI to interact with the Ceipal API. No scripts, no code, no credential handling — all auth and networking are delegated to a legitimate third-party CLI.
Skill Nameceipal
Duration24.3s
Enginepi
Safe to install
Safe to use. No local code execution beyond standard `npm install -g`. Monitor Membrane CLI's own supply-chain posture if the organization requires strict dependency controls.

Findings 1 items

Severity Finding Location
Low
Global npm install of third-party CLI Supply Chain
The skill instructs `npm install -g @membranehq/cli`. Global npm installs modify system-wide package state and could conflict with version-pinned environments. However, this is a declared and necessary step for the integration.
npm install -g @membranehq/cli
→ Consider documenting the minimum required version of the CLI and pinning to a specific version (e.g., @membranehq/[email protected]) to reduce supply-chain risk.
 SKILL.md:27
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned npm install -g @membranehq/cli — writes to global npm prefix
Network READ READ ✓ Aligned membrane request / membrane action run — outbound to Ceipal API via Membrane pro…
Shell WRITE WRITE ✓ Aligned Executes `membrane` CLI commands via shell — declared in SKILL.md
Environment NONE NONE No environment variable access observed
Skill Invoke NONE NONE No cross-skill invocation observed
Clipboard NONE NONE No clipboard access observed
Browser NONE NONE Browser used only for OAuth login flow (declared); no programmatic browser contr…
Database NONE NONE No database access observed
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://www.ceipal.com/api-docs/
SKILL.md:19

File Tree

1 files · 4.6 KB · 148 lines
Markdown 1f · 148L
└─ 📝 SKILL.md Markdown 148L · 4.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli latest (not pinned) npm No Version not pinned — global install recommended in docs

Security Positives

✓ No local scripts or code files — this is a documentation-only skill
✓ No credential handling — Membrane manages auth server-side
✓ No credential harvesting or environment variable iteration
✓ No obfuscation, base64, or anti-analysis patterns
✓ No hidden functionality — all operations are described in SKILL.md
✓ No data exfiltration — all network traffic is to declared, relevant Ceipal/Membrane endpoints
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)
✓ No supply-chain IOCs beyond the documented npm package