Scan Report
5 /100
mati
Mati identity verification platform integration via Membrane CLI
A single-file Mati identity verification integration skill using the official Membrane CLI. All capabilities (network access, shell execution for npm install and membrane CLI) are declared in SKILL.md. No scripts, no dependencies beyond npm, no credential harvesting, no obfuscation, and no sensitive file access.
Safe to install
No action needed. The skill is a legitimate connector wrapper with transparent, documented behavior.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | SKILL.md: No file read/write operations described |
| Network | READ | READ | ✓ Aligned | SKILL.md: Communicates with Membrane and Mati APIs |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: npm install -g @membranehq/cli; membrane login/connect/run commands |
| Environment | NONE | NONE | — | SKILL.md: No environment variable access described |
| Skill Invoke | NONE | NONE | — | SKILL.md: No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | SKILL.md: Browser used only for OAuth flow via Membrane, not controlled by the s… |
| Database | NONE | NONE | — | SKILL.md: No direct database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://docs.mati.global/reference/ SKILL.md:19 File Tree
1 files · 4.3 KB · 123 lines Markdown 1f · 123L
└─
SKILL.md
Markdown
Security Positives
✓ Single-file skill with no hidden scripts or binaries
✓ All shell commands (npm install, membrane CLI) are explicitly documented in SKILL.md
✓ No credential harvesting — Membrane handles auth server-side with no local secrets
✓ No sensitive file path access (~/.ssh, ~/.aws, .env, etc.)
✓ No obfuscation, base64 encoding, or anti-analysis patterns
✓ No external IP addresses or suspicious URLs beyond legitimate Membrane/Mati domains
✓ Proxy request feature is documented and uses Membrane's authenticated gateway
✓ Uses official npm package (@membranehq/cli) from public registry