中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:2 days ago Rescan
10 /100
sage-intacct
Sage Intacct integration for managing financial data, records, and workflow automation
This is a legitimate Sage Intacct integration skill that uses the Membrane CLI to proxy API requests with proper OAuth-based authentication. All functionality is declared and no malicious patterns were found.
Skill Namesage-intacct
Duration23.9s
Enginepi
Safe to install
This skill is safe to use. No additional security controls are needed beyond standard npm global install awareness.

Findings 2 items

Severity Finding Location
Low
Global npm install grants broad scope
The skill instructs users to run 'npm install -g @membranehq/cli' which installs the package globally. This is declared behavior but provides package access beyond the skill's scope.
npm install -g @membranehq/cli
→ Consider documenting this requirement clearly to users who may have restricted npm permissions.
 SKILL.md:21
Low
Third-party credential management
The skill delegates all credential management to the Membrane service. While this is declared and reduces local credential exposure, it introduces a third-party dependency for security-critical authentication.
Membrane handles authentication and credentials refresh automatically
→ Users should verify Membrane's security posture if handling sensitive financial data.
 SKILL.md:27
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned npm install -g @membranehq/cli, membrane login/run/request commands
Network READ READ ✓ Aligned membrane request PROXY_ID /path/to/endpoint
Filesystem NONE NONE No file operations declared or observed
Environment NONE NONE No environment variable access observed
Browser NONE NONE Browser auth flow handled externally by Membrane
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://developer.sage.com/api/accounting/
SKILL.md:19

File Tree

1 files · 4.4 KB · 129 lines
Markdown 1f · 129L
└─ 📝 SKILL.md Markdown 129L · 4.4 KB

Security Positives

✓ No credential harvesting or exfiltration observed
✓ All shell commands are declared in SKILL.md
✓ No base64-encoded payloads or obfuscated code
✓ No direct IP connections or suspicious network patterns
✓ Uses OAuth-like browser authentication instead of storing API keys
✓ Credential lifecycle managed server-side by Membrane
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No eval(), atob(), or dynamic code execution