warpwire 安全扫描报告 — 低风险 | ClawSafe

10 /100

warpwire

Warpwire integration for video platform management via Membrane CLI

Legitimate Warpwire video platform integration using the Membrane CLI with transparent documentation and no hidden functionality.

技能名称warpwire

分析耗时30.5s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning CLI versions in production environments.

安全发现 1 项

严重性	安全发现	位置
低危	CLI installed without version pinning 供应链 The SKILL.md instructs users to install @membranehq/cli with @latest tag, which could fetch different versions over time. Version pinning would improve reproducibility. `npm install -g @membranehq/cli` → Consider pinning to a specific version, e.g., npm install -g @membranehq/[email protected]	`SKILL.md:29`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:29 - npm install -g; SKILL.md:35-73 - membrane CLI commands
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:75-93 - membrane request proxies to Warpwire API

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://support.warpwire.com/

SKILL.md:19

1 文件 · 4.4 KB · 127 行

Markdown 1f · 127L

└─ 📝 SKILL.md Markdown 127L · 4.4 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Version not pinned - installs latest tag

✓ Documentation is clear and comprehensive about all functionality

✓ No credential harvesting - credentials managed server-side by Membrane

✓ No obfuscated code or hidden instructions

✓ No sensitive file/path access (no ~/.ssh, .env, etc.)

✓ No base64-encoded payloads or anti-analysis techniques

✓ Uses legitimate third-party connector (Membrane) for auth lifecycle

✓ No remote code execution from untrusted sources

✓ No evidence of data exfiltration