whosonlocation 安全扫描报告 — 可信 | ClawSafe

5 /100

whosonlocation

WhosOnLocation integration for visitor management via Membrane CLI

Legitimate WhosOnLocation API integration skill using Membrane CLI with fully declared capabilities and no hidden functionality.

技能名称whosonlocation

分析耗时21.0s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	npm install without pinned version The SKILL.md uses 'npm install -g @membranehq/cli' without specifying a version. This is standard CLI practice but could in theory fetch a different version. `npm install -g @membranehq/cli` → Consider using '@membranehq/cli@latest' or a specific version tag for reproducibility	`SKILL.md:25`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: 'npm install -g @membranehq/cli' and 'membrane' command invocations
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: 'Requires network access' and API proxy commands
文件系统	`NONE`	`WRITE`	✓ 一致	Required for npm install; limited to CLI tool installation

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://help.whosonlocation.com/

SKILL.md:19

1 文件 · 4.7 KB · 134 行

Markdown 1f · 134L

└─ 📝 SKILL.md Markdown 134L · 4.7 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`*`	npm	否	Version not pinned - standard for CLI tools

✓ All shell commands are documented and necessary for the integration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64 encoded payloads or obfuscated code

✓ No credential harvesting or data exfiltration

✓ Membrane handles auth lifecycle server-side, no local secrets stored

✓ Clear and accurate documentation matching implementation

✓ Uses established CLI tool (Membrane) for secure API integration