tray 安全扫描报告 — 低风险 | ClawSafe

20 /100

tray

Tray.io low-code automation platform integration via Membrane CLI

This is a legitimate Tray.io integration skill using the Membrane CLI. Shell execution is required for npm commands but undocumented; behavior otherwise matches stated purpose.

技能名称tray

分析耗时28.8s

引擎pi

✓

可以安装

Add 'shell:WRITE' to the allowed tools declaration in SKILL.md metadata to match the actual requirements. Pin the CLI version (e.g., @membranehq/[email protected]) for reproducible installs.

安全发现 2 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration 文档欺骗 SKILL.md metadata lacks allowedTools. The skill requires shell:WRITE (npm install, membrane CLI) and network:WRITE (API proxying), but neither is declared. `metadata section with empty allowedTools` → Add allowedTools: [Bash] to the skill metadata. This is documentation hygiene rather than malicious隐瞒.	`SKILL.md:1`
低危	Unpinned npm package version 供应链 CLI is installed with 'npm install -g @membranehq/cli' without a version pin. Future versions could introduce unexpected behavior. `npm install -g @membranehq/cli` → Pin to a specific version: npm install -g @membranehq/cli@latest or @membranehq/[email protected]	`SKILL.md:47`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	SKILL.md:47-48 npm install -g @membranehq/cli; SKILL.md:51 membrane login
网络访问	`NONE`	`WRITE`	✗ 越权	SKILL.md:65 membrane request proxies API calls
文件系统	`NONE`	`NONE`	—	No file operations detected
环境变量	`NONE`	`NONE`	—	No environment variable access
数据库	`NONE`	`NONE`	—	No database access
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	Browser used only via system opener for auth flow, not automation
技能调用	`NONE`	`NONE`	—	No cross-skill invocation

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.tray.io/

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 124 行

Markdown 1f · 124L

└─ 📝 SKILL.md Markdown 124L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`unpinned`	npm	否	Version not pinned in SKILL.md install instructions

安全亮点

✓ Membrane CLI is from a known vendor (MembraneHQ) with an official GitHub repo

✓ No credential harvesting — Membrane manages auth server-side with no local secrets

✓ No data exfiltration — all API calls route through Membrane's documented proxy

✓ No obfuscation, base64, or suspicious encoding patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or outbound data transfer to untrusted endpoints

✓ Skill purpose (Tray.io automation) is clearly and accurately documented