Skill Trust Decision
onetrust
Skill installs an unversioned third-party CLI tool and delegates all credential handling to an undisclosed proxy service with no transparency about data collection.
Most direct threat evidence
High
Third-party credential proxy without transparency The skill delegates all API authentication to Membrane's proxy service. Credentials flow through Membrane's infrastructure with no disclosure of logging, data collection, or retention practices. SKILL.md states 'Membrane handles authentication and credentials refresh automatically' and 'Membrane automatically appends the base URL' - this is a man-in-the-middle for all sensitive API calls.
SKILL.md:91 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Unversioned npm package with @latest tag +15
npm install -g @membranehq/cli and npx @membranehq/cli@latest allow arbitrary code execution with shifting versions
Third-party credential proxy with no transparency +15
All API credentials flow through Membrane's proxy service with no disclosure of data collection, logging, or retention policies
Implicit filesystem WRITE for global npm install +10
SKILL.md declares filesystem:NONE but npm install -g requires global package directory write access
No audit trail for installed binary +5
No checksum verification or package integrity check for the @membranehq/cli package
Most important evidence
High
Third-party credential proxy without transparency
The skill delegates all API authentication to Membrane's proxy service. Credentials flow through Membrane's infrastructure with no disclosure of logging, data collection, or retention practices. SKILL.md states 'Membrane handles authentication and credentials refresh automatically' and 'Membrane automatically appends the base URL' - this is a man-in-the-middle for all sensitive API calls.
SKILL.md:91 Require Membrane to publish a security whitepaper. Consider allowing direct API access with user-managed credentials instead.
High
Unversioned npm package with @latest tag
The skill uses '@membranehq/cli@latest' which can pull different code versions over time. npm install also uses unpinned version. This enables supply chain attacks where a compromised version could be pushed.
SKILL.md:45 Pin to a specific version with checksum verification, e.g., 'npm install -g @membranehq/[email protected]' after verifying the hash.
Medium
Filesystem access not declared
SKILL.md declares 'allowed_tools: null (no direct file operations)' but npm install -g requires write access to the global npm directory (typically /usr/local/lib/node_modules or ~/.npm). This is a doc-to-code mismatch.
SKILL.md:45 Declare filesystem:WRITE permission in _meta.json or use npx instead of global install to avoid persistent filesystem modification.
Low
External URLs without verification
Skill references external URLs (getmembrane.com, developer.onetrust.com) without package integrity verification. Users cannot verify if these services are legitimate.
SKILL.md:7 Document the expected behavior and data flows between these services.
Declared capability vs actual capability
Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:45 - npm install -g @membranehq/cli Network Pass
Declared READ
→ Inferred READ
SKILL.md:55 - membrane request CONNECTION_ID /path/to/endpoint Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md:45 - npm install -g requires global npm directory write access Environment Pass
Declared NONE
→ Inferred NONE
No environment variable access detected Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill invocation patterns found Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access detected Browser Pass
Declared NONE
→ Inferred READ
SKILL.md:53 - membrane login opens browser for OAuth authentication Database Pass
Declared NONE
→ Inferred NONE
No database access detected Suspicious artifacts and egress
Medium External URL
https://getmembrane.com SKILL.md:7
Medium External URL
https://developer.onetrust.com/ SKILL.md:19
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @membranehq/cli | unpinned (@latest) | npm | No | Supply chain risk - no version pinning, uses @latest tag |
File composition
1 files · 194 lines
Markdown 1 files · 194 lines
Files of concern · 1
SKILL.md Third-party credential proxy without transparency · Unversioned npm package with @latest tag · Filesystem access not declared · External URLs without verification · https://getmembrane.com · https://developer.onetrust.com/
Security positives
No credential harvesting detected - explicitly states 'never ask the user for API keys'
No base64-encoded commands, eval(), or direct IP network requests
Uses browser-based OAuth instead of storing secrets locally
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
Well-documented with clear usage examples