deftship Security Report — Trusted | ClawSafe

5 /100

deftship

Deftship integration for shipping management platform

A legitimate Deftship shipping platform integration skill that uses the Membrane CLI with properly documented OAuth-based authentication and no malicious indicators.

Skill Namedeftship

Duration18.3s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 1 items

Severity	Finding	Location
Low	CLI package version not pinned Supply Chain The @membranehq/cli package is installed without version pinning, which could lead to unexpected behavior if the package changes. `npm install -g @membranehq/cli` → Consider pinning the version: npm install -g @membranehq/cli@latest or specific version	`SKILL.md:22`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: npm install -g @membranehq/cli and membrane commands
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Proxy requests through Membrane API
Filesystem	`NONE`	`NONE`	—	No file operations in SKILL.md

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.deftship.com/

SKILL.md:19

File Tree

1 files · 4.3 KB · 124 lines

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	No version pinning specified

Security Positives

✓ OAuth-based authentication through browser flow - no credential theft risk

✓ All shell operations are documented and necessary for the skill's purpose

✓ Uses Membrane as a secure proxy for API calls

✓ No hidden functionality or obfuscation detected

✓ No sensitive file access or environment variable harvesting

✓ No direct external IP communication - all traffic goes through Membrane

✓ Open source repository referenced (github.com/membranedev/application-skills)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives