column Security Report — Trusted | ClawSafe

5 /100

column

Column integration for data management and workflow automation via Membrane CLI

A legitimate Column integration skill that documents the use of the Membrane CLI for data management; no malicious behavior detected.

Skill Namecolumn

Duration22.0s

Enginepi

✓

Safe to install

This skill is safe to use. Monitor the Membrane CLI (@membranehq/cli) for supply chain vulnerabilities.

Findings 1 items

Severity	Finding	Location
Low	CLI dependency not version-pinned in documentation Supply Chain SKILL.md shows `npm install -g @membranehq/cli` without a version pin, allowing any version to be installed. `npm install -g @membranehq/cli` → Pin to a specific version: npm install -g @membranehq/[email protected]	`SKILL.md:24`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	SKILL.md documentation files only
Network	`READ`	`READ`	✓ Aligned	SKILL.md line 43-70: API requests via membrane request
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line 24-36: CLI commands (npm install, membrane login, etc.)
Environment	`NONE`	`NONE`	—	No environment variable access documented

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://www.column.com/docs/

SKILL.md:19

1 files · 4.1 KB · 124 lines

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.1 KB

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`*`	npm	No	Version not pinned in documentation

✓ All shell commands are explicitly documented in SKILL.md

✓ No credential harvesting; Membrane handles auth server-side

✓ No obfuscation, base64 encoding, or hidden instructions

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data exfiltration patterns

✓ Network access is declared and relevant to stated functionality

✓ Uses official Membrane infrastructure (getmembrane.com) with MIT license