Scan Report
5 /100
ibanity
Ibanity open banking integration using the Membrane CLI
The Ibanity skill is a straightforward open banking integration using the Membrane CLI; no malicious behavior, credential harvesting, or hidden functionality detected.
Safe to install
No action needed. This skill is safe to use as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: npm install -g @membranehq/cli; membrane login/connect/action/request … |
| Network | READ | READ | ✓ Aligned | SKILL.md: Proxy requests via membrane request; all external comms routed through… |
| Filesystem | NONE | NONE | — | No file read/write operations declared or observed |
| Environment | NONE | NONE | — | No environment variable access; credentials managed server-side by Membrane |
| Skill Invoke | NONE | NONE | — | No skill self-invocation observed |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | Browser used only for OAuth login flow via Membrane (legitimate, declared) |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developers.ibanity.com/ SKILL.md:19 File Tree
1 files · 4.4 KB · 124 lines Markdown 1f · 124L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version can be pinned for reproducibility |
Security Positives
✓ Credentials are managed server-side by Membrane — no local secret storage or environment variable harvesting
✓ All external network communication is routed through the Membrane proxy platform
✓ Skill uses a well-known, publicly documented CLI (Membrane) with no obfuscation or base64 payloads
✓ Best practices are explicitly documented (prefer pre-built actions over raw API calls, let Membrane handle credentials)
✓ No credential harvesting, no sensitive file access (~/.ssh, ~/.aws, .env), no data exfiltration
✓ No supply chain risks — npm package is from Membrane (legitimate vendor), version can be pinned with @latest
✓ Documentation is clear and matches observed behavior — no doc-to-code mismatch