telesign Security Report — Low Risk | ClawSafe

15 /100

telesign

TeleSign integration for phone verification, SMS messaging, and fraud prevention via Membrane CLI

A legitimate TeleSign integration skill using the Membrane CLI for phone verification and SMS workflows. All capabilities are declared, no hidden functionality detected.

Skill Nametelesign

Duration23.9s

Enginepi

✓

Safe to install

Approve for use. The skill is transparent about its npm dependency and CLI commands. Consider pinning CLI version for reproducibility.

Findings 2 items

Severity	Finding	Location
Low	Global npm installation The skill requires installing the Membrane CLI globally via npm. While declared, this modifies system state. `npm install -g @membranehq/cli` → Document version pinning: npm install -g @membranehq/cli@latest	`SKILL.md:25`
Info	External dependency on Membrane service The skill relies on the Membrane CLI (membranehq.com) for all API interactions. This introduces a third-party trust dependency. `This skill uses the Membrane CLI to interact with TeleSign` → Verify Membrane's security posture and privacy policy before deployment	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	npm install -g @membranehq/cli
Network	`READ`	`READ`	✓ Aligned	membrane request CONNECTION_ID /path/to/endpoint
Filesystem	`NONE`	`NONE`	—	No direct file operations
Environment	`NONE`	`NONE`	—	No env access detected
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	Browser used via CLI OAuth flow only
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.telesign.com/docs/rest-api-overview

SKILL.md:19

File Tree

1 files · 4.6 KB · 130 lines

Markdown 1f · 130L

└─ 📝 SKILL.md Markdown 130L · 4.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	Version not pinned - recommend using explicit version

Security Positives

✓ All shell commands are explicitly declared in documentation

✓ No credential harvesting - uses OAuth flow via Membrane

✓ No base64, obfuscation, or hidden payloads detected

✓ Best practices explicitly advise against asking users for API keys

✓ Transparent about external API calls through Membrane proxy

✓ Uses legitimate, documented CLI tool (Membrane)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data exfiltration patterns

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives