deftship 安全扫描报告 — 可信 | ClawSafe

5 /100

deftship

Deftship integration for shipping management platform

A legitimate Deftship shipping platform integration skill that uses the Membrane CLI with properly documented OAuth-based authentication and no malicious indicators.

技能名称deftship

分析耗时18.3s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	CLI package version not pinned 供应链 The @membranehq/cli package is installed without version pinning, which could lead to unexpected behavior if the package changes. `npm install -g @membranehq/cli` → Consider pinning the version: npm install -g @membranehq/cli@latest or specific version	`SKILL.md:22`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: npm install -g @membranehq/cli and membrane commands
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Proxy requests through Membrane API
文件系统	`NONE`	`NONE`	—	No file operations in SKILL.md

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.deftship.com/

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 124 行

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	No version pinning specified

安全亮点

✓ OAuth-based authentication through browser flow - no credential theft risk

✓ All shell operations are documented and necessary for the skill's purpose

✓ Uses Membrane as a secure proxy for API calls

✓ No hidden functionality or obfuscation detected

✓ No sensitive file access or environment variable harvesting

✓ No direct external IP communication - all traffic goes through Membrane

✓ Open source repository referenced (github.com/membranedev/application-skills)