扫描报告
12 /100
factorial
Factorial HR software integration using Membrane CLI
This is a documentation-only skill that describes how to use the Membrane CLI for Factorial API integration; all shell and network access are declared and necessary for the documented purpose, with no hidden functionality or malicious indicators.
可以安装
Approve for use. No script files exist to inspect further. If the Membrane CLI package (@membranehq/cli) is a concern, consider pinning to a specific version hash or hosting an internal mirror.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Third-party npm package dependency | SKILL.md:52 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md lines 52-68: npm install -g, membrane login, membrane connect, membrane… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md lines 70-78: membrane request for proxying API calls to Factorial |
| 文件系统 | NONE | NONE | — | No file read/write operations in skill; npm install writes to global node_module… |
| 环境变量 | NONE | NONE | — | No environment variable access observed |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://apidocs.factorialhr.com/ SKILL.md:19 目录结构
1 文件 · 4.5 KB · 137 行 Markdown 1f · 137L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | * | npm | 否 | Version not pinned; installed globally via npm install -g |
安全亮点
✓ Documentation-only skill with no scripts or binary files to inspect
✓ All shell commands are explicitly declared in SKILL.md
✓ Network access is declared and scoped to Factorial API integration
✓ No credential harvesting or environment variable enumeration observed
✓ No base64, eval, curl|bash, or other high-risk patterns found
✓ Membrane CLI handles authentication server-side (no local secret storage in skill)
✓ Best practices documented: prefer pre-built actions over raw API calls