clari 安全扫描报告 — 低风险 | ClawSafe

10 /100

clari

Clari integration for revenue operations data management and workflow automation

Legitimate Clari integration skill that uses the Membrane CLI for API interactions; all shell commands are documented and necessary for the documented functionality.

技能名称clari

分析耗时32.7s

引擎pi

✓

可以安装

Skill is safe to use. Monitor for any changes to the Membrane CLI package or unexpected network behavior.

安全发现 2 项

严重性	安全发现	位置
低危	Global npm package installation The skill instructs users to install @membranehq/cli globally via npm. While this is standard practice for CLI tools, global installs modify system state. `npm install -g @membranehq/cli` → Consider documenting this as a required permission in the skill metadata for transparency.	`SKILL.md:25`
提示	External URL references The SKILL.md references external URLs (getmembrane.com, developers.clari.com). These are documentation links and do not pose direct security risks. `https://getmembrane.com, https://developers.clari.com/` → No action needed; standard external documentation references.	`SKILL.md`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md only - documentation reference, no actual file operations
网络访问	`READ`	`READ`	✓ 一致	Membrane CLI proxies API calls to Clari; declared in compatibility field
命令执行	`WRITE`	`WRITE`	✓ 一致	npm install -g @membranehq/cli, membrane login/connect/action run commands all d…
环境变量	`NONE`	`NONE`	—	No environment variable access declared or observed
技能调用	`NONE`	`NONE`	—	No skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access observed
浏览器	`NONE`	`NONE`	—	Browser used only for OAuth flow in Membrane login, not programmatically accesse…
数据库	`NONE`	`NONE`	—	No database access observed

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.clari.com/

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 126 行

Markdown 1f · 126L

└─ 📝 SKILL.md Markdown 126L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Pinned version recommended for production use

安全亮点

✓ All shell commands are explicitly documented in SKILL.md

✓ Credentials are managed server-side by Membrane with no local secrets storage

✓ No credential harvesting or environment variable enumeration observed

✓ No base64 encoding, eval(), or other suspicious code patterns

✓ No hidden instructions in comments or documentation

✓ No direct IP connections or C2 indicators

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Membrane acts as a secure proxy, handling auth lifecycle server-side

✓ Standard CLI integration pattern with well-established Membrane tool