thoughtly 安全扫描报告 — 低风险 | ClawSafe

20 /100

thoughtly

Thoughtly integration for knowledge management and workflow automation

A legitimate knowledge management integration skill using the Membrane CLI with only minor documentation gaps.

技能名称thoughtly

分析耗时32.1s

引擎pi

✓

可以安装

No blocking action needed. Consider adding a note about the npm global install requirement in the metadata.

安全发现 1 项

严重性	安全发现	位置
低危	Limited documentation about local state 文档欺骗 The SKILL.md does not document that the Membrane CLI creates local configuration/state files (~/.membrane or similar). `No mention of local CLI state` → Consider documenting where CLI credentials/tokens are stored locally.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:36-38 npm install -g commands
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:12-14 Membrane CLI makes API calls
文件系统	`NONE`	`READ`	✓ 一致	CLI tools may read config files

1 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

1 文件 · 4.5 KB · 123 行

Markdown 1f · 123L

└─ 📝 SKILL.md Markdown 123L · 4.5 KB

✓ No obfuscated code or base64 payloads detected

✓ No credential exfiltration to external servers

✓ Uses official npm package from @membranehq

✓ All shell commands are documented and transparent

✓ Authentication flows through established OAuth/browser pattern

✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)

✓ No suspicious network patterns or direct IP connections

✓ No reverse shell, C2, or data theft indicators