jaegertracing 安全扫描报告 — 低风险 | ClawSafe

5 /100

jaegertracing

JaegerTracing integration for monitoring and troubleshooting microservices-based applications

Documentation-only skill that provides instructions for using the Membrane CLI to interact with JaegerTracing; no executable code or malicious behavior detected.

技能名称jaegertracing

分析耗时24.2s

引擎pi

✓

可以安装

This skill is safe to use. Consider pinning the npm package version (e.g., @membranehq/[email protected] instead of @latest) for reproducible deployments.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned npm package version 供应链 The skill instructs users to install '@membranehq/cli' using @latest tag without a specific version. This could lead to supply chain risk if the package is compromised or significantly changed. `npm install -g @membranehq/cli` → Pin the package version (e.g., @membranehq/[email protected]) for reproducible and secure installations	`SKILL.md:24`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access described or required
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Uses Membrane CLI to proxy requests to JaegerTracing API
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Runs npm install and membrane CLI commands
环境变量	`NONE`	`NONE`	—	No environment variable access described

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://www.jaegertracing.io/docs/

SKILL.md:19

目录结构

1 文件 · 4.5 KB · 123 行

Markdown 1f · 123L

└─ 📝 SKILL.md Markdown 123L · 4.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Version not pinned - uses @latest tag

安全亮点

✓ Skill is purely documentation-based with no executable code

✓ No credential harvesting - Membrane handles authentication server-side

✓ No filesystem write access required or declared

✓ No obfuscation or suspicious patterns detected

✓ No hidden functionality or doc-to-code mismatch

✓ Official JaegerTracing documentation URLs are legitimate

✓ Membrane CLI approach is a reasonable security pattern (credentials managed server-side)