扫描报告
15 /100
expertai
Expert.ai integration skill for managing data, records, and automating workflows via Membrane CLI
This skill is documentation-only (single SKILL.md file) describing integration with Expert.ai via the Membrane CLI. No executable code exists; the skill provides legitimate guidance for installing npm packages and using a documented CLI tool.
可以安装
No immediate action required. Consider pinning the npm package version (e.g., `@membranehq/[email protected]`) instead of installing without a version specifier to improve reproducibility.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package version 供应链 | SKILL.md:36 |
| 低危 | Inferred shell:WRITE capability not declared 文档欺骗 | SKILL.md:35 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file operations in documentation |
| 网络访问 | NONE | READ | ✓ 一致 | External URLs are documented for user reference, not automated requests |
| 命令执行 | NONE | WRITE | ✓ 一致 | npm install and membrane CLI commands are documented, not hidden |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://developer.expert.ai/ SKILL.md:19 目录结构
1 文件 · 4.3 KB · 124 行 Markdown 1f · 124L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | unpinned | npm | 否 | No version specified - recommend pinning to specific version |
安全亮点
✓ No executable code files present - purely documentation
✓ No credential harvesting or environment variable access
✓ No base64, eval, or obfuscation patterns detected
✓ No remote script execution (curl|bash patterns)
✓ No sensitive file path access (~/.ssh, ~/.aws, .env)
✓ Uses legitimate, documented CLI tool (Membrane)
✓ No hidden functionality or shadow features
✓ No C2 communication or data exfiltration indicators