column 安全扫描报告 — 可信 | ClawSafe

5 /100

column

Column integration for data management and workflow automation via Membrane CLI

A legitimate Column integration skill that documents the use of the Membrane CLI for data management; no malicious behavior detected.

技能名称column

分析耗时22.0s

引擎pi

✓

可以安装

This skill is safe to use. Monitor the Membrane CLI (@membranehq/cli) for supply chain vulnerabilities.

安全发现 1 项

严重性	安全发现	位置
低危	CLI dependency not version-pinned in documentation 供应链 SKILL.md shows `npm install -g @membranehq/cli` without a version pin, allowing any version to be installed. `npm install -g @membranehq/cli` → Pin to a specific version: npm install -g @membranehq/[email protected]	`SKILL.md:24`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md documentation files only
网络访问	`READ`	`READ`	✓ 一致	SKILL.md line 43-70: API requests via membrane request
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md line 24-36: CLI commands (npm install, membrane login, etc.)
环境变量	`NONE`	`NONE`	—	No environment variable access documented

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://www.column.com/docs/

SKILL.md:19

1 文件 · 4.1 KB · 124 行

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.1 KB

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`*`	npm	否	Version not pinned in documentation

✓ All shell commands are explicitly documented in SKILL.md

✓ No credential harvesting; Membrane handles auth server-side

✓ No obfuscation, base64 encoding, or hidden instructions

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data exfiltration patterns

✓ Network access is declared and relevant to stated functionality

✓ Uses official Membrane infrastructure (getmembrane.com) with MIT license