扫描报告
15 /100
zephyr-essential-cloud
Zephyr Essential Cloud integration for test management with Jira
A well-documented integration skill for Zephyr Essential Cloud using the Membrane CLI proxy service, with no evidence of malicious behavior.
可以安装
This skill can be used safely. Monitor npm package versions for @membranehq/cli updates and consider pinning to a specific version in production environments.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package with @latest tag 供应链 | SKILL.md:20 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md: Uses membrane CLI for API proxy requests to Zephyr Cloud |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md: Runs npm install and membrane CLI commands |
| 文件系统 | NONE | NONE | — | No file operations observed |
| 环境变量 | NONE | NONE | — | No environment variable access observed |
| 凭证访问 | NONE | NONE | — | Uses OAuth/browser authentication via Membrane; no local credential storage |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://support.smartbear.com/zephyr-scale-cloud/api-docs/ SKILL.md:19 目录结构
1 文件 · 4.5 KB · 128 行 Markdown 1f · 128L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest (unpinned) | npm | 否 | No version specified - uses @latest tag |
安全亮点
✓ Well-documented SKILL.md with clear capability declarations
✓ Uses OAuth/browser-based authentication instead of storing API keys locally
✓ No credential harvesting or exfiltration patterns detected
✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No reverse shell, C2 communication, or data theft indicators
✓ Legitimate third-party service (Membrane) with proper auth lifecycle management
✓ Network access is declared and necessary for the integration
✓ All shell commands are documented CLI tool invocations