Scan Report
5 /100
wishpond
Wishpond marketing platform integration via Membrane CLI
A straightforward Wishpond API integration skill using the Membrane CLI framework with no hidden functionality, credential handling, or suspicious patterns.
Safe to install
This skill is safe to use. No additional security controls needed.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in SKILL.md |
| Network | READ | READ | ✓ Aligned | Uses Membrane proxy for Wishpond API calls |
| Shell | WRITE | WRITE | ✓ Aligned | Executes membrane CLI commands (login, connect, action run) |
| Environment | NONE | NONE | — | Delegates auth to Membrane; no direct env access |
| Skill Invoke | NONE | NONE | — | No nested skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | READ | READ | ✓ Aligned | Uses browser for OAuth authentication flow |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developers.wishpond.com/ SKILL.md:19 File Tree
1 files · 4.6 KB · 132 lines Markdown 1f · 132L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Official Membrane CLI, installed via npm install -g |
Security Positives
✓ Credential management delegated entirely to Membrane infrastructure
✓ No hardcoded secrets or API keys in documentation
✓ No shell command injection vectors detected
✓ No file system access required or declared
✓ All functionality declared and documented in SKILL.md
✓ Uses pre-built actions when possible, reducing attack surface
✓ No base64, eval, or dynamic code execution patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)