sofort Security Report — Low Risk | ClawSafe

15 /100

sofort

SOFORT direct online banking payment integration skill using the Membrane CLI

This is a straightforward SOFORT payment integration skill that uses the Membrane CLI. All capabilities (network, shell) are declared, no hidden functionality exists, and credential management is properly delegated to Membrane.

Skill Namesofort

Duration25.6s

Enginepi

✓

Safe to install

No immediate action required. Consider pinning the @membranehq/cli version in documentation for reproducible builds.

Findings 2 items

Severity	Finding	Location
Low	CLI package version not pinned Supply Chain The documentation instructs users to install @membranehq/cli with @latest tag instead of pinning a specific version. This could lead to unexpected behavior if the package is updated. `npm install -g @membranehq/cli` → Pin to a specific version, e.g., npm install -g @membranehq/[email protected]	`SKILL.md:25`
Low	Action discovery uses @latest tag Supply Chain The npx command for action discovery also uses @latest, which bypasses any locally installed version. `npx @membranehq/cli@latest action list` → Use a pinned version consistent with the installed CLI version.	`SKILL.md:53`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md - all shell commands (membrane login, connect, action run, request) int…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md - documents npm install, membrane login, membrane connect, membrane act…
Filesystem	`NONE`	`NONE`	—	No file operations performed or declared
Environment	`NONE`	`NONE`	—	No environment variable access declared or observed
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation declared
Clipboard	`NONE`	`NONE`	—	No clipboard access declared or observed
Browser	`NONE`	`NONE`	—	Browser used only for OAuth login flow, fully declared and user-driven
Database	`NONE`	`NONE`	—	No database operations declared or observed

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.sofort.com/

SKILL.md:19

File Tree

1 files · 4.3 KB · 123 lines

Markdown 1f · 123L

└─ 📝 SKILL.md Markdown 123L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	No version pinned — recommended to pin a specific version

Security Positives

✓ All shell capabilities are explicitly declared in SKILL.md

✓ No credential harvesting — credentials are managed server-side by Membrane

✓ No hidden functionality or obfuscated code

✓ Credential management philosophy is sound: 'never ask the user for API keys or tokens'

✓ Only 1 file (SKILL.md) — no hidden scripts or binary artifacts

✓ No network IOCs beyond declared Membrane API endpoints

✓ Browser OAuth flow is user-initiated and fully transparent

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env access)

✓ No base64-encoded execution or eval patterns

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives