扫描报告
15 /100
telesign
TeleSign integration for phone verification, SMS messaging, and fraud prevention via Membrane CLI
A legitimate TeleSign integration skill using the Membrane CLI for phone verification and SMS workflows. All capabilities are declared, no hidden functionality detected.
可以安装
Approve for use. The skill is transparent about its npm dependency and CLI commands. Consider pinning CLI version for reproducibility.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Global npm installation | SKILL.md:25 |
| 提示 | External dependency on Membrane service | SKILL.md:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | npm install -g @membranehq/cli |
| 网络访问 | READ | READ | ✓ 一致 | membrane request CONNECTION_ID /path/to/endpoint |
| 文件系统 | NONE | NONE | — | No direct file operations |
| 环境变量 | NONE | NONE | — | No env access detected |
| 技能调用 | NONE | NONE | — | No inter-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | Browser used via CLI OAuth flow only |
| 数据库 | NONE | NONE | — | No database access |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://developers.telesign.com/docs/rest-api-overview SKILL.md:19 目录结构
1 文件 · 4.6 KB · 130 行 Markdown 1f · 130L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest | npm | 否 | Version not pinned - recommend using explicit version |
安全亮点
✓ All shell commands are explicitly declared in documentation
✓ No credential harvesting - uses OAuth flow via Membrane
✓ No base64, obfuscation, or hidden payloads detected
✓ Best practices explicitly advise against asking users for API keys
✓ Transparent about external API calls through Membrane proxy
✓ Uses legitimate, documented CLI tool (Membrane)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2, or data exfiltration patterns