Scan Report
5 /100
automox
Automox integration — manage patch management, configuration, and software deployment via Membrane CLI
A legitimate Automox integration skill using the Membrane CLI with no malicious behavior, hidden functionality, or credential theft — all operations are declared and within documented bounds.
Safe to install
This skill is safe to use. Monitor for any future additions of scripts or binary executables that are not reviewed.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:30 — npm install -g @membranehq/cli |
| Network | READ | READ | ✓ Aligned | SKILL.md:47-92 — membrane request for API proxy |
| Filesystem | NONE | NONE | — | No filesystem operations documented or present |
| Environment | NONE | NONE | — | SKILL.md:94 explicitly states not to ask for API keys; Membrane handles auth ser… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation documented |
| Clipboard | NONE | NONE | — | No clipboard access present |
| Browser | READ | READ | ✓ Aligned | SKILL.md:34-36 — browser window for OAuth login flow |
| Database | NONE | NONE | — | No database operations documented or present |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developer.automox.com/ SKILL.md:19 File Tree
1 files · 4.4 KB · 131 lines Markdown 1f · 131L
└─
SKILL.md
Markdown
Security Positives
✓ No executable scripts or binary files present — only markdown documentation
✓ All shell operations (npm install) are explicitly documented in SKILL.md
✓ No credential theft: credentials are handled via browser-based OAuth through Membrane with no raw API key storage
✓ No data exfiltration: all network traffic is to/from Automox API via the Membrane proxy
✓ No obfuscation, encoded payloads, or anti-analysis techniques
✓ No sensitive file/path access (~/.ssh, ~/.aws, .env, etc.)
✓ No base64 execution, curl|bash, or remote script fetching
✓ SKILL.md provides clear best practices recommending use of Membrane's built-in actions over raw API calls