gtmetrix 安全扫描报告 — 低风险 | ClawSafe

15 /100

gtmetrix

GTmetrix integration for website performance analysis

GTmetrix integration skill using Membrane CLI with clear documentation and no malicious behavior detected.

技能名称gtmetrix

分析耗时26.5s

引擎pi

✓

可以安装

Approve for use. Consider pinning the npm package version for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned npm package version 供应链 The skill instructs users to install @membranehq/cli globally without specifying a version. This could lead to unexpected behavior if the package is updated. `npm install -g @membranehq/cli` → Specify a version: npm install -g @membranehq/cli@latest or pin to specific version	`SKILL.md:22`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in documentation
网络访问	`READ`	`READ`	✓ 一致	GTmetrix API access via Membrane proxy
命令执行	`WRITE`	`WRITE`	✓ 一致	npm install, membrane CLI commands
环境变量	`NONE`	`NONE`	—	Membrane handles credentials server-side
技能调用	`NONE`	`NONE`	—	No skill chaining declared
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	OAuth flow uses system browser
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://gtmetrix.com/api/

SKILL.md:19

1 文件 · 5.8 KB · 143 行

Markdown 1f · 143L

└─ 📝 SKILL.md Markdown 143L · 5.8 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`*`	npm	否	Version not pinned in installation instructions

✓ Clear documentation matching actual functionality

✓ No credential harvesting - Membrane handles auth server-side

✓ No sensitive file/path access

✓ No obfuscation or base64-encoded commands

✓ No data exfiltration behavior

✓ Uses official Membrane CLI tool

✓ OAuth flow with browser for authentication

✓ No subprocess hidden from documentation