wb 安全扫描报告 — 可信 | ClawSafe

5 /100

W&B integration - manage data, records, and automate workflows using Weights & Biases

Legitimate W&B integration skill using the Membrane CLI with fully documented behavior and no malicious indicators.

技能名称wb

分析耗时26.3s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning the npm package version for improved supply chain security.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned npm dependency 供应链 The @membranehq/cli package is installed without version pinning, which could lead to unexpected behavior if the package is updated. `npm install -g @membranehq/cli` → Pin the version: npm install -g @membranehq/[email protected]	`SKILL.md:30`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md line 4: 'Requires network access'
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: membrane CLI commands documented
文件系统	`NONE`	`NONE`	—	No file operations observed
环境变量	`NONE`	`NONE`	—	No environment access

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://docs.wandb.ai/ref/python

SKILL.md:19

1 文件 · 4.3 KB · 126 行

Markdown 1f · 126L

└─ 📝 SKILL.md Markdown 126L · 4.3 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`*`	npm	否	Version not pinned - recommended to specify a version

✓ All shell commands are fully documented in SKILL.md

✓ Network access is explicitly declared in compatibility field

✓ No credential theft - credential handling delegated to Membrane

✓ No base64, obfuscation, or anti-analysis patterns detected

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env access)

✓ No C2 communication or data exfiltration indicators

✓ Membrane is a legitimate platform (membrane.dev)

✓ No hidden functionality - skill is purely documentation