tecalliance Security Report — Low Risk | ClawSafe

10 /100

tecalliance

TecAlliance integration for automotive data management

A legitimate TecAlliance API integration skill that uses the documented Membrane CLI for automotive data operations with no malicious code or hidden functionality.

Skill Nametecalliance

Duration26.5s

Enginepi

✓

Safe to install

Approve for use. The skill is well-documented and performs standard API integration through a legitimate third-party CLI tool.

Findings 1 items

Severity	Finding	Location
Low	Third-party CLI dependency Supply Chain The skill depends on @membranehq/cli from npm. This is a legitimate, documented dependency but introduces supply chain risk if the package is compromised. `npm install -g @membranehq/cli` → Verify package integrity and consider pinning to a specific version (e.g., @membranehq/[email protected]) rather than using latest	`SKILL.md:31`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	npm install -g writes to global node_modules (implicit)
Network	`READ`	`READ`	✓ Aligned	membrane request for TecAlliance API calls
Shell	`NONE`	`WRITE`	✓ Aligned	membrane CLI commands documented in SKILL.md
Environment	`NONE`	`NONE`	—	No environment variable access detected
Skill Invoke	`NONE`	`NONE`	—	No skill chaining detected
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`READ`	✓ Aligned	membrane login opens browser for OAuth authentication
Database	`NONE`	`NONE`	—	No database access detected

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developer.tecalliance.services/

SKILL.md:19

File Tree

1 files · 4.9 KB · 141 lines

Markdown 1f · 141L

└─ 📝 SKILL.md Markdown 141L · 4.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	Version not pinned - recommends using @latest

Security Positives

✓ No executable code present - only documentation

✓ No obfuscated or base64-encoded content

✓ No credential harvesting patterns detected

✓ All functionality clearly documented in SKILL.md

✓ Uses standard OAuth browser flow for authentication

✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)

✓ No suspicious network patterns (no direct IP calls, no C2 indicators)

✓ Legitimate business use case (automotive data API integration)

✓ External URLs point to legitimate services (getmembrane.com, tecalliance.services)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives