ubuntu-landscape Security Report — Low Risk | ClawSafe

15 /100

ubuntu-landscape

Ubuntu Landscape integration skill for systems management

This is a documentation-only skill that provides guidance for using Ubuntu Landscape with Membrane CLI; no malicious code or hidden functionality detected.

Skill Nameubuntu-landscape

Duration30.5s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning the Membrane CLI to a specific version instead of using @latest to reduce supply chain risk.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm dependency version Supply Chain SKILL.md uses @latest tag for @membranehq/cli package, which could introduce unexpected behavior if a new version is released. `npm install -g @membranehq/cli` → Pin to a specific version (e.g., @membranehq/[email protected]) in production skills.	`SKILL.md:31`
Info	Documentation-only skill Doc Mismatch This skill contains no implementation scripts. It provides guidance for using an external CLI tool. `Documentation for Ubuntu Landscape integration via Membrane CLI` → No action needed; this is by design.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md line 30: npm install requires network access
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: CLI commands (membrane login, membrane action run)
Filesystem	`NONE`	`NONE`	—	No file operations performed
Environment	`NONE`	`NONE`	—	No environment variable access detected
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	Browser auth handled by Membrane SDK
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://landscape.canonical.com/set-up-server

SKILL.md:19

File Tree

1 files · 4.4 KB · 123 lines

Markdown 1f · 123L

└─ 📝 SKILL.md Markdown 123L · 4.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`* (latest)`	npm	No	Version not pinned; uses @latest tag

Security Positives

✓ No code execution or scripts present in this skill

✓ All capabilities and behavior are clearly documented in SKILL.md

✓ No credential harvesting - Membrane handles authentication transparently

✓ No data exfiltration - only interacts with declared Ubuntu Landscape API

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No base64 encoded commands or obfuscation

✓ No suspicious network behavior or hardcoded IPs

✓ Uses legitimate, documented CLI tool (@membranehq/cli)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives