中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
SSLMate Cert Spotter API
Membrane CLI integration for SSLMate's Cert Spotter API — monitors newly issued SSL/TLS certificates
A lean, well-documented Membrane CLI wrapper for the SSLMate Cert Spotter API with no hidden functionality, no scripts, and no credential exfiltration.
技能名称SSLMate Cert Spotter API
分析耗时28.5s
引擎pi
可以安装
Skill is safe to use. The `~/.membrane/credentials.json` credential storage is expected behavior for the Membrane CLI. No further action required.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned CLI package version 供应链
The skill uses @membranehq/cli@latest throughout, which resolves to the latest release at execution time rather than a fixed version. While Membrane is a known product, pinning to a specific version prevents unexpected behavior from upstream breaking changes.
npx @membranehq/cli@latest login --tenant
→ Pin to a stable version tag (e.g., @membranehq/[email protected]) once a stable release is available, or document the rationale for using 'latest'.
 SKILL.md:24
提示
Filesystem and network permissions not declared in header 文档欺骗
SKILL.md header declares no explicit permissions, but the skill implicitly uses filesystem:WRITE (credential storage) and network:WRITE (API proxy calls). These are minor gaps; the credential file is well-documented in the body.
No declared permissions in _meta/compatibility header
→ Add explicit capability declarations in the metadata block, e.g., 'filesystem:WRITE' for credential storage and 'network:WRITE' for API calls.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 ~/.membrane/credentials.json is written by Membrane CLI during login (documented…
网络访问 NONE WRITE ✓ 一致 Membrane proxy sends authenticated requests to SSLMate API; declared via Membran…
命令执行 NONE WRITE ✓ 一致 npx commands invoke shell; this is the expected mechanism and is documented
1 项发现
🔗
中危 外部 URL 外部 URL
https://sslmate.com/certspotter/api/
SKILL.md:17

目录结构

1 文件 · 4.7 KB · 116 行
Markdown 1f · 116L
└─ 📝 SKILL.md Markdown 116L · 4.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli latest (unpinned) npx No specific version pinned; resolves to latest at execution time

安全亮点

✓ No scripts or binary files — pure documentation-only skill
✓ No credential harvesting or exfiltration detected
✓ No obfuscation, base64-encoded payloads, or reverse shell patterns
✓ All operations go through the legitimate, documented Membrane CLI
✓ Credential management is handled by Membrane server-side, not locally exposed
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) or environment variable iteration
✓ No supply-chain IOCs beyond the known Membrane package reference
✓ No curl|bash or wget|sh remote execution patterns