Scan Report
15 /100
expertai
Expert.ai integration skill for managing data, records, and automating workflows via Membrane CLI
This skill is documentation-only (single SKILL.md file) describing integration with Expert.ai via the Membrane CLI. No executable code exists; the skill provides legitimate guidance for installing npm packages and using a documented CLI tool.
Safe to install
No immediate action required. Consider pinning the npm package version (e.g., `@membranehq/[email protected]`) instead of installing without a version specifier to improve reproducibility.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned npm package version Supply Chain | SKILL.md:36 |
| Low | Inferred shell:WRITE capability not declared Doc Mismatch | SKILL.md:35 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in documentation |
| Network | NONE | READ | ✓ Aligned | External URLs are documented for user reference, not automated requests |
| Shell | NONE | WRITE | ✓ Aligned | npm install and membrane CLI commands are documented, not hidden |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developer.expert.ai/ SKILL.md:19 File Tree
1 files · 4.3 KB · 124 lines Markdown 1f · 124L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | unpinned | npm | No | No version specified - recommend pinning to specific version |
Security Positives
✓ No executable code files present - purely documentation
✓ No credential harvesting or environment variable access
✓ No base64, eval, or obfuscation patterns detected
✓ No remote script execution (curl|bash patterns)
✓ No sensitive file path access (~/.ssh, ~/.aws, .env)
✓ Uses legitimate, documented CLI tool (Membrane)
✓ No hidden functionality or shadow features
✓ No C2 communication or data exfiltration indicators