扫描报告
15 /100
confluent
Confluent integration using Membrane CLI to manage Kafka topics, clusters, and related resources
Documentation-only Confluent integration skill using the Membrane CLI; no hidden malicious functionality detected, though global npm installation grants elevated permissions.
可以安装
Review Membrane CLI's security model before granting shell:WRITE permissions. Consider pinning CLI version and verifying Membrane's credential handling practices.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Global npm package installation 权限提升 | SKILL.md:24 |
| 低危 | Third-party credential management 敏感访问 | SKILL.md:32 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file operations found in SKILL.md |
| 网络访问 | READ | READ | ✓ 一致 | External URLs to getmembrane.com and docs.confluent.io declared |
| 命令执行 | WRITE | WRITE | ✓ 一致 | npm install -g declared in setup instructions |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://docs.confluent.io/ SKILL.md:19 目录结构
1 文件 · 6.3 KB · 147 行 Markdown 1f · 147L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest | npm | 否 | Version not pinned in SKILL.md |
安全亮点
✓ No code execution beyond documented CLI commands
✓ No credential harvesting or exfiltration
✓ No base64 or obfuscated code patterns
✓ No sensitive file path access (~/.ssh, ~/.aws, .env)
✓ No reverse shell or C2 communication patterns
✓ No hidden HTML comments or steganographic content
✓ Legitimate third-party integration with clear documentation