zephyr-essential-cloud Security Report — Low Risk | ClawSafe

15 /100

zephyr-essential-cloud

Zephyr Essential Cloud integration for test management with Jira

A well-documented integration skill for Zephyr Essential Cloud using the Membrane CLI proxy service, with no evidence of malicious behavior.

Skill Namezephyr-essential-cloud

Duration26.5s

Enginepi

✓

Safe to install

This skill can be used safely. Monitor npm package versions for @membranehq/cli updates and consider pinning to a specific version in production environments.

Findings 1 items

Severity	Finding	Location
Low	Unpinned npm package with @latest tag Supply Chain The skill uses npm install -g @membranehq/cli and npx @membranehq/cli@latest without version pinning. This could lead to unexpected behavior if the package is updated. `npm install -g @membranehq/cli` → Consider pinning to a specific version, e.g., npm install -g @membranehq/[email protected]	`SKILL.md:20`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Uses membrane CLI for API proxy requests to Zephyr Cloud
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Runs npm install and membrane CLI commands
Filesystem	`NONE`	`NONE`	—	No file operations observed
Environment	`NONE`	`NONE`	—	No environment variable access observed
credential_theft	`NONE`	`NONE`	—	Uses OAuth/browser authentication via Membrane; no local credential storage

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://support.smartbear.com/zephyr-scale-cloud/api-docs/

SKILL.md:19

File Tree

1 files · 4.5 KB · 128 lines

Markdown 1f · 128L

└─ 📝 SKILL.md Markdown 128L · 4.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest (unpinned)`	npm	No	No version specified - uses @latest tag

Security Positives

✓ Well-documented SKILL.md with clear capability declarations

✓ Uses OAuth/browser-based authentication instead of storing API keys locally

✓ No credential harvesting or exfiltration patterns detected

✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No reverse shell, C2 communication, or data theft indicators

✓ Legitimate third-party service (Membrane) with proper auth lifecycle management

✓ Network access is declared and necessary for the integration

✓ All shell commands are documented CLI tool invocations

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives