Scan Report
5 /100
codeq-natural-language-processing-api
Codeq Natural Language Processing API integration for sentiment analysis, text summarization, and entity recognition
Legitimate Codeq NLP API integration skill using Membrane CLI with clearly declared network access and shell execution for package installation.
Safe to install
No action needed. This is a straightforward API integration skill with all capabilities properly documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md line 29: npm install -g @membranehq/cli |
| Network | READ | READ | ✓ Aligned | SKILL.md: interacts with Codeq NLP API through Membrane proxy |
| Filesystem | NONE | NONE | — | No file operations declared or observed |
| Environment | NONE | NONE | — | No env access observed |
| Clipboard | NONE | NONE | — | No clipboard access observed |
| Database | NONE | NONE | — | No database access declared or observed |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://codeq.ai/docs/ SKILL.md:19 File Tree
1 files · 4.9 KB · 132 lines Markdown 1f · 132L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version not pinned; this is standard for CLI tools and matches documented behavior |
Security Positives
✓ All shell commands documented in SKILL.md (npm install, membrane CLI)
✓ Network access explicitly declared for API interaction
✓ Credentials handled server-side by Membrane with no local secrets
✓ Standard browser-based OAuth authentication flow
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64/eval/suspicious encoding patterns
✓ No data exfiltration or credential harvesting
✓ Open source repository referenced (github.com/membranedev/application-skills)