sage-intacct 安全扫描报告 — 低风险 | ClawSafe

10 /100

sage-intacct

Sage Intacct integration for managing financial data, records, and workflow automation

This is a legitimate Sage Intacct integration skill that uses the Membrane CLI to proxy API requests with proper OAuth-based authentication. All functionality is declared and no malicious patterns were found.

技能名称sage-intacct

分析耗时23.9s

引擎pi

✓

可以安装

This skill is safe to use. No additional security controls are needed beyond standard npm global install awareness.

安全发现 2 项

严重性	安全发现	位置
低危	Global npm install grants broad scope The skill instructs users to run 'npm install -g @membranehq/cli' which installs the package globally. This is declared behavior but provides package access beyond the skill's scope. `npm install -g @membranehq/cli` → Consider documenting this requirement clearly to users who may have restricted npm permissions.	`SKILL.md:21`
低危	Third-party credential management The skill delegates all credential management to the Membrane service. While this is declared and reduces local credential exposure, it introduces a third-party dependency for security-critical authentication. `Membrane handles authentication and credentials refresh automatically` → Users should verify Membrane's security posture if handling sensitive financial data.	`SKILL.md:27`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	npm install -g @membranehq/cli, membrane login/run/request commands
网络访问	`READ`	`READ`	✓ 一致	membrane request PROXY_ID /path/to/endpoint
文件系统	`NONE`	`NONE`	—	No file operations declared or observed
环境变量	`NONE`	`NONE`	—	No environment variable access observed
浏览器	`NONE`	`NONE`	—	Browser auth flow handled externally by Membrane

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developer.sage.com/api/accounting/

SKILL.md:19

目录结构

1 文件 · 4.4 KB · 129 行

Markdown 1f · 129L

└─ 📝 SKILL.md Markdown 129L · 4.4 KB

安全亮点

✓ No credential harvesting or exfiltration observed

✓ All shell commands are declared in SKILL.md

✓ No base64-encoded payloads or obfuscated code

✓ No direct IP connections or suspicious network patterns

✓ Uses OAuth-like browser authentication instead of storing API keys

✓ Credential lifecycle managed server-side by Membrane

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No eval(), atob(), or dynamic code execution