Scan Report
0 /100
tradogram
Tradogram integration for procurement and supply chain management
A legitimate Tradogram integration skill using the Membrane CLI with fully documented shell commands, network access, and OAuth-based authentication flows. No hidden functionality, credential harvesting, or data exfiltration detected.
Safe to install
This skill is safe to use. The only minor concern is using @latest for npm installation which could lead to unexpected updates. Consider pinning to a specific version for reproducibility.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md uses npm install, membrane login, membrane connect, membrane action run… |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://tradogram.com/help-center/ SKILL.md:19 File Tree
1 files · 6.1 KB · 225 lines Markdown 1f · 225L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Uses @latest tag - consider pinning for reproducibility |
Security Positives
✓ All shell commands are fully documented in SKILL.md
✓ No hidden or undocumented functionality detected
✓ No credential harvesting or token exfiltration
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No base64 encoded or obfuscated commands
✓ Uses OAuth-based authentication through Membrane's infrastructure
✓ No suspicious network indicators (IP addresses, C2 communication)
✓ No supply chain risks detected - uses official @membranehq/cli package