Scan Report
20 /100
turbot-pipes
Turbot Pipes integration for data governance and cloud resource management
Turbot Pipes integration skill is a legitimate data governance tool that uses the Membrane CLI for secure credential handling, with minor supply-chain concerns around unpinned npm installations.
Safe to install
Consider pinning the npm package version to a specific release tag to reduce supply-chain risk. Otherwise, this skill follows good security practices by delegating credential management to Membrane.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | NPM package version not pinned Supply Chain | SKILL.md:35 |
| Low | Using @latest for npx execution Supply Chain | SKILL.md:55 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | All network calls go through Membrane CLI proxy |
| Shell | WRITE | WRITE | ✓ Aligned | Uses npm install and membrane CLI commands |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://turbot.com/v5/en/docs/pipes/ SKILL.md:19 File Tree
1 files · 4.6 KB · 135 lines Markdown 1f · 135L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version not pinned, uses @latest tag |
Security Positives
✓ Credential management delegated to Membrane platform - no local API key storage
✓ Browser-based OAuth authentication prevents credential theft patterns
✓ Well-documented functionality with clear purpose
✓ Uses established CLI tool from recognized vendor (Membrane)
✓ No obfuscated code or hidden functionality
✓ MIT license with transparent authorship
✓ No sensitive path access or environment variable harvesting