扫描报告
5 /100
leapfin
Leapfin integration for finance automation - reconciliation, transactions, journal entries, adjustments, and reporting
A well-documented finance automation skill using the Membrane CLI with fully declared shell and network operations.
可以安装
Approve for use. The skill is transparent about its dependencies (npm install -g @membranehq/cli) and all operations are documented in SKILL.md.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No filesystem operations in the skill |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md: Declares network access via Membrane CLI for Leapfin API |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md: Documents npm install -g and membrane CLI commands |
| 环境变量 | NONE | NONE | — | No environment variable access detected |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://leapfin.com/ SKILL.md:19 目录结构
1 文件 · 4.4 KB · 130 行 Markdown 1f · 130L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest | npm | 否 | Pinned version recommended for production |
安全亮点
✓ All shell commands are explicitly documented in SKILL.md
✓ Network access is declared and goes through official Membrane CLI
✓ Credential handling is properly delegated to Membrane (no local API key storage)
✓ No sensitive path access (~/.ssh, ~/.aws, .env) detected
✓ No base64-encoded payloads or obfuscated code
✓ No curl|bash or wget|sh patterns
✓ Skill explicitly states to 'never ask the user for API keys'
✓ Best practices section encourages using pre-built actions over raw API calls