cleeng Security Report — Trusted | ClawSafe

5 /100

cleeng

Cleeng integration for subscriber retention management and video monetization

Legitimate Cleeng API integration skill that uses the Membrane CLI for credential management and API access. All functionality is clearly documented with no hidden behavior.

Skill Namecleeng

Duration20.1s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning the CLI version in production environments for reproducibility.

Findings 1 items

Severity	Finding	Location
Low	CLI version not pinned in install command Supply Chain The skill uses 'npm install -g @membranehq/cli' without a version specifier. This could lead to unexpected updates. `npm install -g @membranehq/cli` → Pin to a specific version for reproducibility: npm install -g @membranehq/[email protected]	`SKILL.md:33`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations required
Network	`READ`	`READ`	✓ Aligned	SKILL.md line 19-20: Requires network access for Cleeng API
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line 34: npm install -g @membranehq/cli; membrane commands

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.cleeng.com/

SKILL.md:19

File Tree

1 files · 4.3 KB · 127 lines

Markdown 1f · 127L

└─ 📝 SKILL.md Markdown 127L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`not pinned`	npm	No	Version not pinned in SKILL.md install command

Security Positives

✓ Explicitly instructs not to ask users for API keys or tokens

✓ Credentials managed server-side by Membrane with no local secrets

✓ Uses pre-built actions over raw API calls (reduces error risk)

✓ All functionality clearly documented in SKILL.md

✓ No hidden shell execution or obfuscated code

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives