onespan 安全扫描报告 — 可信 | ClawSafe

5 /100

onespan

OneSpan integration for digital identity, e-signatures, and fraud prevention

This is a legitimate OneSpan integration skill that uses the Membrane CLI for API interaction. All behavior is clearly documented with no hidden functionality.

技能名称onespan

分析耗时21.0s

引擎pi

✓

可以安装

No action required. This skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	CLI tool installation without version pinning 供应链 The skill instructs users to install @membranehq/cli with @latest tag, which could install a different version over time `npm install -g @membranehq/cli` → Consider pinning to a specific version for reproducible builds	`SKILL.md:18`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Uses membrane request for API proxy calls
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Documents npm install and membrane CLI commands

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developer.onespan.com/

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 125 行

Markdown 1f · 125L

└─ 📝 SKILL.md Markdown 125L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	No version pinning - minor supply chain risk

安全亮点

✓ All shell commands are explicitly documented in SKILL.md

✓ Credential handling delegated to Membrane (no local secret storage)

✓ No base64 encoding, eval patterns, or obfuscation observed

✓ No sensitive file/path access patterns found

✓ Best practices documented (prefer built-in actions over raw API calls)

✓ No hidden functionality or shadow features detected