open-policy-agent Security Report — Low Risk | ClawSafe

10 /100

open-policy-agent

Open Policy Agent integration. Manage data, records, and automate workflows. Use when the user wants to interact with Open Policy Agent data.

Documentation-only skill that describes installing and using the legitimate Membrane CLI for Open Policy Agent integration; no executable code, hidden functionality, or suspicious patterns detected.

Skill Nameopen-policy-agent

Duration29.8s

Enginepi

✓

Safe to install

This is a documentation-only skill. The actual security posture depends on the external @membranehq/cli package. Verify the package integrity and review Membrane's privacy policy before use in sensitive environments.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm dependency Supply Chain The skill instructs installing @membranehq/cli without specifying a version, using @latest tag. This could lead to unexpected updates. `npm install -g @membranehq/cli` → Pin to a specific version for reproducible builds, e.g., npm install -g @membranehq/[email protected]	`SKILL.md:30`
Low	Credential lifecycle not fully explained Doc Mismatch The skill states 'Membrane handles authentication and credentials refresh automatically' but does not detail where credentials are stored or how they are managed server-side. `Membrane handles authentication and credentials refresh automatically` → Review Membrane's privacy policy and credential handling documentation to ensure compliance with your security requirements.	`SKILL.md:28`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:39 - membrane action run commands interact with external API
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:30 - npm install -g @membranehq/cli
Filesystem	`NONE`	`NONE`	—	No file operations described
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	Browser used only for OAuth flow, documented and user-initiated
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://www.openpolicyagent.org/docs/latest/

SKILL.md:19

File Tree

1 files · 4.5 KB · 124 lines

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	Version not pinned; uses @latest tag

Security Positives

✓ No executable code present; this is a documentation-only skill

✓ All operations are clearly documented in SKILL.md

✓ No credential theft patterns detected (no environment variable iteration, no ~/.ssh or similar access)

✓ No obfuscation or encoded payloads detected

✓ No base64, eval, or suspicious execution patterns

✓ No data exfiltration mechanisms present

✓ No hidden functionality or shadow features

✓ OAuth/browser flow for login is user-initiated and documented

✓ Best practices section explicitly warns against asking users for API keys

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives