open-policy-agent 安全扫描报告 — 低风险 | ClawSafe

10 /100

open-policy-agent

Open Policy Agent integration. Manage data, records, and automate workflows. Use when the user wants to interact with Open Policy Agent data.

Documentation-only skill that describes installing and using the legitimate Membrane CLI for Open Policy Agent integration; no executable code, hidden functionality, or suspicious patterns detected.

技能名称open-policy-agent

分析耗时29.8s

引擎pi

✓

可以安装

This is a documentation-only skill. The actual security posture depends on the external @membranehq/cli package. Verify the package integrity and review Membrane's privacy policy before use in sensitive environments.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned npm dependency 供应链 The skill instructs installing @membranehq/cli without specifying a version, using @latest tag. This could lead to unexpected updates. `npm install -g @membranehq/cli` → Pin to a specific version for reproducible builds, e.g., npm install -g @membranehq/[email protected]	`SKILL.md:30`
低危	Credential lifecycle not fully explained 文档欺骗 The skill states 'Membrane handles authentication and credentials refresh automatically' but does not detail where credentials are stored or how they are managed server-side. `Membrane handles authentication and credentials refresh automatically` → Review Membrane's privacy policy and credential handling documentation to ensure compliance with your security requirements.	`SKILL.md:28`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:39 - membrane action run commands interact with external API
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:30 - npm install -g @membranehq/cli
文件系统	`NONE`	`NONE`	—	No file operations described
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No nested skill invocations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	Browser used only for OAuth flow, documented and user-initiated
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://www.openpolicyagent.org/docs/latest/

SKILL.md:19

目录结构

1 文件 · 4.5 KB · 124 行

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Version not pinned; uses @latest tag

安全亮点

✓ No executable code present; this is a documentation-only skill

✓ All operations are clearly documented in SKILL.md

✓ No credential theft patterns detected (no environment variable iteration, no ~/.ssh or similar access)

✓ No obfuscation or encoded payloads detected

✓ No base64, eval, or suspicious execution patterns

✓ No data exfiltration mechanisms present

✓ No hidden functionality or shadow features

✓ OAuth/browser flow for login is user-initiated and documented

✓ Best practices section explicitly warns against asking users for API keys