Scan Report
5 /100
leapfin
Leapfin integration for finance automation - reconciliation, transactions, journal entries, adjustments, and reporting
A well-documented finance automation skill using the Membrane CLI with fully declared shell and network operations.
Safe to install
Approve for use. The skill is transparent about its dependencies (npm install -g @membranehq/cli) and all operations are documented in SKILL.md.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem operations in the skill |
| Network | READ | READ | ✓ Aligned | SKILL.md: Declares network access via Membrane CLI for Leapfin API |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: Documents npm install -g and membrane CLI commands |
| Environment | NONE | NONE | — | No environment variable access detected |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://leapfin.com/ SKILL.md:19 File Tree
1 files · 4.4 KB · 130 lines Markdown 1f · 130L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Pinned version recommended for production |
Security Positives
✓ All shell commands are explicitly documented in SKILL.md
✓ Network access is declared and goes through official Membrane CLI
✓ Credential handling is properly delegated to Membrane (no local API key storage)
✓ No sensitive path access (~/.ssh, ~/.aws, .env) detected
✓ No base64-encoded payloads or obfuscated code
✓ No curl|bash or wget|sh patterns
✓ Skill explicitly states to 'never ask the user for API keys'
✓ Best practices section encourages using pre-built actions over raw API calls