中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 12/100
Last scan:2 days ago Rescan
12 /100
factorial
Factorial HR software integration using Membrane CLI
This is a documentation-only skill that describes how to use the Membrane CLI for Factorial API integration; all shell and network access are declared and necessary for the documented purpose, with no hidden functionality or malicious indicators.
Skill Namefactorial
Duration47.3s
Enginepi
Safe to install
Approve for use. No script files exist to inspect further. If the Membrane CLI package (@membranehq/cli) is a concern, consider pinning to a specific version hash or hosting an internal mirror.

Findings 1 items

Severity Finding Location
Low
Third-party npm package dependency
The skill instructs installing @membranehq/cli from npm. This is a third-party package not hosted within the skill's repository. While documented, the package source introduces an external trust dependency.
npm install -g @membranehq/cli
→ Pin to a specific version (e.g., @membranehq/[email protected]) and verify checksum if possible. Consider hosting an internal registry mirror for production environments.
 SKILL.md:52
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md lines 52-68: npm install -g, membrane login, membrane connect, membrane…
Network READ READ ✓ Aligned SKILL.md lines 70-78: membrane request for proxying API calls to Factorial
Filesystem NONE NONE No file read/write operations in skill; npm install writes to global node_module…
Environment NONE NONE No environment variable access observed
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://apidocs.factorialhr.com/
SKILL.md:19

File Tree

1 files · 4.5 KB · 137 lines
Markdown 1f · 137L
└─ 📝 SKILL.md Markdown 137L · 4.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli * npm No Version not pinned; installed globally via npm install -g

Security Positives

✓ Documentation-only skill with no scripts or binary files to inspect
✓ All shell commands are explicitly declared in SKILL.md
✓ Network access is declared and scoped to Factorial API integration
✓ No credential harvesting or environment variable enumeration observed
✓ No base64, eval, curl|bash, or other high-risk patterns found
✓ Membrane CLI handles authentication server-side (no local secret storage in skill)
✓ Best practices documented: prefer pre-built actions over raw API calls