cleeng 安全扫描报告 — 可信 | ClawSafe

5 /100

cleeng

Cleeng integration for subscriber retention management and video monetization

Legitimate Cleeng API integration skill that uses the Membrane CLI for credential management and API access. All functionality is clearly documented with no hidden behavior.

技能名称cleeng

分析耗时20.1s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning the CLI version in production environments for reproducibility.

安全发现 1 项

严重性	安全发现	位置
低危	CLI version not pinned in install command 供应链 The skill uses 'npm install -g @membranehq/cli' without a version specifier. This could lead to unexpected updates. `npm install -g @membranehq/cli` → Pin to a specific version for reproducibility: npm install -g @membranehq/[email protected]	`SKILL.md:33`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations required
网络访问	`READ`	`READ`	✓ 一致	SKILL.md line 19-20: Requires network access for Cleeng API
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md line 34: npm install -g @membranehq/cli; membrane commands

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.cleeng.com/

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 127 行

Markdown 1f · 127L

└─ 📝 SKILL.md Markdown 127L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`not pinned`	npm	否	Version not pinned in SKILL.md install command

安全亮点

✓ Explicitly instructs not to ask users for API keys or tokens

✓ Credentials managed server-side by Membrane with no local secrets

✓ Uses pre-built actions over raw API calls (reduces error risk)

✓ All functionality clearly documented in SKILL.md

✓ No hidden shell execution or obfuscated code

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)