中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
product-hunt
Product Hunt integration — manage posts, comments, makers, and topics via the Membrane CLI.
A legitimate Product Hunt integration using the Membrane CLI with no malicious behavior detected; minor documentation gaps around capability declarations.
Skill Nameproduct-hunt
Duration51.8s
Enginepi
Safe to install
Add explicit capability declarations to the SKILL.md header for full transparency. Pin the @membranehq/cli version (e.g., @membranehq/[email protected]) to prevent supply chain surprises.

Findings 3 items

Severity Finding Location
Medium
Unpinned @membranehq/cli version Supply Chain
The skill instructs users to run `npm install -g @membranehq/cli` without a version pin. This allows a malicious or compromised future version to be installed automatically.
npm install -g @membranehq/cli
→ Pin to a specific version, e.g., `npm install -g @membranehq/[email protected]`, and recommend checking the version before installation.
 SKILL.md:56
Low
Missing shell:WRITE capability declaration in header Doc Mismatch
The YAML frontmatter declares 'network' access but does not list shell:WRITE, even though the skill requires running npm install and multiple membrane CLI commands via the shell.
compatibility: Requires network access and a valid Membrane account
→ Update the compatibility header to explicitly declare shell:WRITE for the npm and membrane CLI commands used throughout the skill.
 SKILL.md:1
Low
Browser interaction not declared Doc Mismatch
The membrane login flow opens a browser window for OAuth authentication. This browser interaction is not declared in the header or explicitly flagged to the user as an automated browser open.
membrane login --tenant
→ Add a note in the header that the skill may open a browser for OAuth, or document browser:READ in the compatibility section.
 SKILL.md:64
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✓ Aligned SKILL.md:56 - npm install -g @membranehq/cli; SKILL.md:62-88 - membrane login, c…
Network READ READ ✓ Aligned SKILL.md:7 - declared as 'Requires network access'; all network calls routed thr…
Filesystem NONE NONE No file operations found
Browser NONE READ ✓ Aligned SKILL.md:64 - membrane login opens browser for OAuth flow, not declared in heade…
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://api.producthunt.com/v2/docs
SKILL.md:19

File Tree

1 files · 4.3 KB · 128 lines
Markdown 1f · 128L
└─ 📝 SKILL.md Markdown 128L · 4.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli unspecified (latest) npm No No version pin in SKILL.md install command; could pull a compromised future version

Security Positives

✓ No credential theft: Membrane handles auth server-side with no local secret storage
✓ No code execution beyond documented CLI commands: No eval(), base64 decode, or subprocess usage beyond declared commands
✓ No sensitive file access: No reading of ~/.ssh, ~/.aws, .env, or similar paths
✓ No obfuscation: All behavior is documented in plain text in SKILL.md
✓ No hidden instructions: No HTML comments, steganography, or concealed payloads
✓ No data exfiltration: All network traffic is to legitimate Product Hunt / Membrane infrastructure
✓ OAuth-based authentication: Browser-based login flow is a standard and safe pattern