扫描报告
5 /100
carapi
CarAPI integration for vehicle data access via Membrane CLI
Documentation-only skill using the legitimate Membrane CLI for CarAPI integration with no malicious behavior detected.
可以安装
This skill is safe to use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | npm install -g @membranehq/cli; membrane login |
| 网络访问 | READ | READ | ✓ 一致 | membrane request for API calls |
| 文件系统 | NONE | NONE | — | No filesystem access required or used |
| 环境变量 | NONE | NONE | — | No environment variable access |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://developer.nrel.gov/docs/transportation/jpat-v1/ SKILL.md:19 目录结构
1 文件 · 4.4 KB · 125 行 Markdown 1f · 125L
└─
SKILL.md
Markdown
安全亮点
✓ No executable code - documentation only
✓ Uses legitimate third-party Membrane CLI (@membranehq/cli)
✓ Credentials delegated to Membrane service (server-side management)
✓ No credential harvesting or exfiltration
✓ No reverse shells, C2 infrastructure, or data theft
✓ No base64-encoded commands or obfuscated payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No suspicious patterns (eval, atob, subprocess with hidden commands)
✓ All shell commands are documented and serve legitimate purposes