安全决策报告
onetrust
Skill installs an unversioned third-party CLI tool and delegates all credential handling to an undisclosed proxy service with no transparency about data collection.
最直接的威胁证据
高危
Third-party credential proxy without transparency The skill delegates all API authentication to Membrane's proxy service. Credentials flow through Membrane's infrastructure with no disclosure of logging, data collection, or retention practices. SKILL.md states 'Membrane handles authentication and credentials refresh automatically' and 'Membrane automatically appends the base URL' - this is a man-in-the-middle for all sensitive API calls.
SKILL.md:91 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Unversioned npm package with @latest tag +15
npm install -g @membranehq/cli and npx @membranehq/cli@latest allow arbitrary code execution with shifting versions
Third-party credential proxy with no transparency +15
All API credentials flow through Membrane's proxy service with no disclosure of data collection, logging, or retention policies
Implicit filesystem WRITE for global npm install +10
SKILL.md declares filesystem:NONE but npm install -g requires global package directory write access
No audit trail for installed binary +5
No checksum verification or package integrity check for the @membranehq/cli package
最关键的证据
高危
Third-party credential proxy without transparency
The skill delegates all API authentication to Membrane's proxy service. Credentials flow through Membrane's infrastructure with no disclosure of logging, data collection, or retention practices. SKILL.md states 'Membrane handles authentication and credentials refresh automatically' and 'Membrane automatically appends the base URL' - this is a man-in-the-middle for all sensitive API calls.
SKILL.md:91 Require Membrane to publish a security whitepaper. Consider allowing direct API access with user-managed credentials instead.
高危
Unversioned npm package with @latest tag
The skill uses '@membranehq/cli@latest' which can pull different code versions over time. npm install also uses unpinned version. This enables supply chain attacks where a compromised version could be pushed.
SKILL.md:45 Pin to a specific version with checksum verification, e.g., 'npm install -g @membranehq/[email protected]' after verifying the hash.
中危
Filesystem access not declared
SKILL.md declares 'allowed_tools: null (no direct file operations)' but npm install -g requires write access to the global npm directory (typically /usr/local/lib/node_modules or ~/.npm). This is a doc-to-code mismatch.
SKILL.md:45 Declare filesystem:WRITE permission in _meta.json or use npx instead of global install to avoid persistent filesystem modification.
低危
External URLs without verification
Skill references external URLs (getmembrane.com, developer.onetrust.com) without package integrity verification. Users cannot verify if these services are legitimate.
SKILL.md:7 Document the expected behavior and data flows between these services.
声明能力 vs 实际能力
命令执行 通过
声明 WRITE
→ 推断 WRITE
SKILL.md:45 - npm install -g @membranehq/cli 网络访问 通过
声明 READ
→ 推断 READ
SKILL.md:55 - membrane request CONNECTION_ID /path/to/endpoint 文件系统 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:45 - npm install -g requires global npm directory write access 环境变量 通过
声明 NONE
→ 推断 NONE
No environment variable access detected 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation patterns found 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access detected 浏览器 通过
声明 NONE
→ 推断 READ
SKILL.md:53 - membrane login opens browser for OAuth authentication 数据库 通过
声明 NONE
→ 推断 NONE
No database access detected 可疑产物与外联
中危 外部 URL
https://getmembrane.com SKILL.md:7
中危 外部 URL
https://developer.onetrust.com/ SKILL.md:19
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @membranehq/cli | unpinned (@latest) | npm | 否 | Supply chain risk - no version pinning, uses @latest tag |
文件构成
1 个文件 · 194 行
Markdown 1 个文件 · 194 行
需关注文件 · 1
SKILL.md Third-party credential proxy without transparency · Unversioned npm package with @latest tag · Filesystem access not declared · External URLs without verification · https://getmembrane.com · https://developer.onetrust.com/
安全亮点
No credential harvesting detected - explicitly states 'never ask the user for API keys'
No base64-encoded commands, eval(), or direct IP network requests
Uses browser-based OAuth instead of storing secrets locally
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
Well-documented with clear usage examples