扫描报告
0 /100
tradogram
Tradogram integration for procurement and supply chain management
A legitimate Tradogram integration skill using the Membrane CLI with fully documented shell commands, network access, and OAuth-based authentication flows. No hidden functionality, credential harvesting, or data exfiltration detected.
可以安装
This skill is safe to use. The only minor concern is using @latest for npm installation which could lead to unexpected updates. Consider pinning to a specific version for reproducibility.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md uses npm install, membrane login, membrane connect, membrane action run… |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://tradogram.com/help-center/ SKILL.md:19 目录结构
1 文件 · 6.1 KB · 225 行 Markdown 1f · 225L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest | npm | 否 | Uses @latest tag - consider pinning for reproducibility |
安全亮点
✓ All shell commands are fully documented in SKILL.md
✓ No hidden or undocumented functionality detected
✓ No credential harvesting or token exfiltration
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No base64 encoded or obfuscated commands
✓ Uses OAuth-based authentication through Membrane's infrastructure
✓ No suspicious network indicators (IP addresses, C2 communication)
✓ No supply chain risks detected - uses official @membranehq/cli package