中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
product-hunt
Product Hunt integration — manage posts, comments, makers, and topics via the Membrane CLI.
A legitimate Product Hunt integration using the Membrane CLI with no malicious behavior detected; minor documentation gaps around capability declarations.
技能名称product-hunt
分析耗时51.8s
引擎pi
可以安装
Add explicit capability declarations to the SKILL.md header for full transparency. Pin the @membranehq/cli version (e.g., @membranehq/[email protected]) to prevent supply chain surprises.

安全发现 3 项

严重性 安全发现 位置
中危
Unpinned @membranehq/cli version 供应链
The skill instructs users to run `npm install -g @membranehq/cli` without a version pin. This allows a malicious or compromised future version to be installed automatically.
npm install -g @membranehq/cli
→ Pin to a specific version, e.g., `npm install -g @membranehq/[email protected]`, and recommend checking the version before installation.
 SKILL.md:56
低危
Missing shell:WRITE capability declaration in header 文档欺骗
The YAML frontmatter declares 'network' access but does not list shell:WRITE, even though the skill requires running npm install and multiple membrane CLI commands via the shell.
compatibility: Requires network access and a valid Membrane account
→ Update the compatibility header to explicitly declare shell:WRITE for the npm and membrane CLI commands used throughout the skill.
 SKILL.md:1
低危
Browser interaction not declared 文档欺骗
The membrane login flow opens a browser window for OAuth authentication. This browser interaction is not declared in the header or explicitly flagged to the user as an automated browser open.
membrane login --tenant
→ Add a note in the header that the skill may open a browser for OAuth, or document browser:READ in the compatibility section.
 SKILL.md:64
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✓ 一致 SKILL.md:56 - npm install -g @membranehq/cli; SKILL.md:62-88 - membrane login, c…
网络访问 READ READ ✓ 一致 SKILL.md:7 - declared as 'Requires network access'; all network calls routed thr…
文件系统 NONE NONE No file operations found
浏览器 NONE READ ✓ 一致 SKILL.md:64 - membrane login opens browser for OAuth flow, not declared in heade…
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://api.producthunt.com/v2/docs
SKILL.md:19

目录结构

1 文件 · 4.3 KB · 128 行
Markdown 1f · 128L
└─ 📝 SKILL.md Markdown 128L · 4.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli unspecified (latest) npm No version pin in SKILL.md install command; could pull a compromised future version

安全亮点

✓ No credential theft: Membrane handles auth server-side with no local secret storage
✓ No code execution beyond documented CLI commands: No eval(), base64 decode, or subprocess usage beyond declared commands
✓ No sensitive file access: No reading of ~/.ssh, ~/.aws, .env, or similar paths
✓ No obfuscation: All behavior is documented in plain text in SKILL.md
✓ No hidden instructions: No HTML comments, steganography, or concealed payloads
✓ No data exfiltration: All network traffic is to legitimate Product Hunt / Membrane infrastructure
✓ OAuth-based authentication: Browser-based login flow is a standard and safe pattern