ceipal 安全扫描报告 — 低风险 | ClawSafe

10 /100

ceipal

Ceipal integration. Manage data, records, and automate workflows via the Membrane CLI.

This is a thin documentation-only skill that describes how to use the Membrane CLI to interact with the Ceipal API. No scripts, no code, no credential handling — all auth and networking are delegated to a legitimate third-party CLI.

技能名称ceipal

分析耗时24.3s

引擎pi

✓

可以安装

Safe to use. No local code execution beyond standard `npm install -g`. Monitor Membrane CLI's own supply-chain posture if the organization requires strict dependency controls.

安全发现 1 项

严重性	安全发现	位置
低危	Global npm install of third-party CLI 供应链 The skill instructs `npm install -g @membranehq/cli`. Global npm installs modify system-wide package state and could conflict with version-pinned environments. However, this is a declared and necessary step for the integration. `npm install -g @membranehq/cli` → Consider documenting the minimum required version of the CLI and pinning to a specific version (e.g., @membranehq/[email protected]) to reduce supply-chain risk.	`SKILL.md:27`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	npm install -g @membranehq/cli — writes to global npm prefix
网络访问	`READ`	`READ`	✓ 一致	membrane request / membrane action run — outbound to Ceipal API via Membrane pro…
命令执行	`WRITE`	`WRITE`	✓ 一致	Executes `membrane` CLI commands via shell — declared in SKILL.md
环境变量	`NONE`	`NONE`	—	No environment variable access observed
技能调用	`NONE`	`NONE`	—	No cross-skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access observed
浏览器	`NONE`	`NONE`	—	Browser used only for OAuth login flow (declared); no programmatic browser contr…
数据库	`NONE`	`NONE`	—	No database access observed

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://www.ceipal.com/api-docs/

SKILL.md:19

目录结构

1 文件 · 4.6 KB · 148 行

Markdown 1f · 148L

└─ 📝 SKILL.md Markdown 148L · 4.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest (not pinned)`	npm	否	Version not pinned — global install recommended in docs

安全亮点

✓ No local scripts or code files — this is a documentation-only skill

✓ No credential handling — Membrane manages auth server-side

✓ No credential harvesting or environment variable iteration

✓ No obfuscation, base64, or anti-analysis patterns

✓ No hidden functionality — all operations are described in SKILL.md

✓ No data exfiltration — all network traffic is to declared, relevant Ceipal/Membrane endpoints

✓ No persistence mechanisms (no cron, startup scripts, or backdoors)

✓ No supply-chain IOCs beyond the documented npm package