中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
whosonlocation
WhosOnLocation integration for visitor management via Membrane CLI
Legitimate WhosOnLocation API integration skill using Membrane CLI with fully declared capabilities and no hidden functionality.
Skill Namewhosonlocation
Duration21.0s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 1 items

Severity Finding Location
Low
npm install without pinned version
The SKILL.md uses 'npm install -g @membranehq/cli' without specifying a version. This is standard CLI practice but could in theory fetch a different version.
npm install -g @membranehq/cli
→ Consider using '@membranehq/cli@latest' or a specific version tag for reproducibility
 SKILL.md:25
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md: 'npm install -g @membranehq/cli' and 'membrane' command invocations
Network READ READ ✓ Aligned SKILL.md: 'Requires network access' and API proxy commands
Filesystem NONE WRITE ✓ Aligned Required for npm install; limited to CLI tool installation
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://help.whosonlocation.com/
SKILL.md:19

File Tree

1 files · 4.7 KB · 134 lines
Markdown 1f · 134L
└─ 📝 SKILL.md Markdown 134L · 4.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli * npm No Version not pinned - standard for CLI tools

Security Positives

✓ All shell commands are documented and necessary for the integration
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64 encoded payloads or obfuscated code
✓ No credential harvesting or data exfiltration
✓ Membrane handles auth lifecycle server-side, no local secrets stored
✓ Clear and accurate documentation matching implementation
✓ Uses established CLI tool (Membrane) for secure API integration