中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
SSLMate Cert Spotter API
Membrane CLI integration for SSLMate's Cert Spotter API — monitors newly issued SSL/TLS certificates
A lean, well-documented Membrane CLI wrapper for the SSLMate Cert Spotter API with no hidden functionality, no scripts, and no credential exfiltration.
Skill NameSSLMate Cert Spotter API
Duration28.5s
Enginepi
Safe to install
Skill is safe to use. The `~/.membrane/credentials.json` credential storage is expected behavior for the Membrane CLI. No further action required.

Findings 2 items

Severity Finding Location
Low
Unpinned CLI package version Supply Chain
The skill uses @membranehq/cli@latest throughout, which resolves to the latest release at execution time rather than a fixed version. While Membrane is a known product, pinning to a specific version prevents unexpected behavior from upstream breaking changes.
npx @membranehq/cli@latest login --tenant
→ Pin to a stable version tag (e.g., @membranehq/[email protected]) once a stable release is available, or document the rationale for using 'latest'.
 SKILL.md:24
Info
Filesystem and network permissions not declared in header Doc Mismatch
SKILL.md header declares no explicit permissions, but the skill implicitly uses filesystem:WRITE (credential storage) and network:WRITE (API proxy calls). These are minor gaps; the credential file is well-documented in the body.
No declared permissions in _meta/compatibility header
→ Add explicit capability declarations in the metadata block, e.g., 'filesystem:WRITE' for credential storage and 'network:WRITE' for API calls.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned ~/.membrane/credentials.json is written by Membrane CLI during login (documented…
Network NONE WRITE ✓ Aligned Membrane proxy sends authenticated requests to SSLMate API; declared via Membran…
Shell NONE WRITE ✓ Aligned npx commands invoke shell; this is the expected mechanism and is documented
1 findings
🔗
Medium External URL 外部 URL
https://sslmate.com/certspotter/api/
SKILL.md:17

File Tree

1 files · 4.7 KB · 116 lines
Markdown 1f · 116L
└─ 📝 SKILL.md Markdown 116L · 4.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli latest (unpinned) npx No No specific version pinned; resolves to latest at execution time

Security Positives

✓ No scripts or binary files — pure documentation-only skill
✓ No credential harvesting or exfiltration detected
✓ No obfuscation, base64-encoded payloads, or reverse shell patterns
✓ All operations go through the legitimate, documented Membrane CLI
✓ Credential management is handled by Membrane server-side, not locally exposed
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) or environment variable iteration
✓ No supply-chain IOCs beyond the known Membrane package reference
✓ No curl|bash or wget|sh remote execution patterns