扫描报告
15 /100
plaid
Plaid integration for managing banking data, transactions, and workflows via Membrane CLI
Single-file Plaid integration skill using Membrane CLI; all functionality is documented with no hidden behavior, though npm install lacks version pinning.
可以安装
Pin the CLI version in the install command (e.g., `@membranehq/[email protected]`) to prevent unexpected updates.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package version 供应链 | SKILL.md:26 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file operations described or performed |
| 网络访问 | READ | READ | ✓ 一致 | Membrane proxy requests to Plaid API; documented in SKILL.md |
| 命令执行 | WRITE | WRITE | ✓ 一致 | npm install and membrane CLI commands; declared in SKILL.md |
| 环境变量 | NONE | NONE | — | No environment variable access documented or observed |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard operations |
| 浏览器 | NONE | NONE | — | OAuth flow uses external browser, not automated browser control |
| 数据库 | NONE | NONE | — | No database access |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://plaid.com/docs/ SKILL.md:19 目录结构
1 文件 · 4.4 KB · 130 行 Markdown 1f · 130L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | * | npm | 否 | Version not pinned — installs latest on npm install |
安全亮点
✓ All capabilities explicitly documented in SKILL.md — no hidden behavior
✓ Credential management delegated to Membrane's server-side auth lifecycle — no local secrets stored
✓ No credential harvesting, data exfiltration, or obfuscation observed
✓ No sensitive file paths (~/.ssh, ~/.aws, .env) accessed
✓ Uses pre-built Membrane actions rather than raw API calls, reducing attack surface
✓ MIT license and public repository listed for verification