中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
tabnine
Tabnine integration via Membrane CLI for AI code completion management
This is a documentation-only skill wrapping the legitimate Membrane CLI for Tabnine integration. No executable code or scripts are present; all functionality is declared in SKILL.md.
Skill Nametabnine
Duration27.9s
Enginepi
Safe to install
No immediate action required. If executing this skill, ensure the Membrane CLI is installed from the official npm registry and verify its integrity.

Findings 2 items

Severity Finding Location
Low
Unpinned npm package dependency Supply Chain
The skill instructs users to install @membranehq/cli without a version pin. This could lead to unexpected behavior if the package is updated.
npm install -g @membranehq/cli
→ Specify a version: npm install -g @membranehq/cli@latest or pin to a specific version
 SKILL.md:22
Info
Capabilities not formally declared Doc Mismatch
The skill uses network and shell capabilities but does not declare them in the standard allowed-tools format. While behavior is documented in prose, formal declaration is missing.
No allowed-tools or capabilities section present
→ Add a capabilities section to explicitly declare required permissions
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned SKILL.md:32 bash scripts may read files
Network NONE READ ✓ Aligned SKILL.md:22 npm install + membrane CLI network calls
Shell NONE WRITE ✓ Aligned SKILL.md:32-70 multiple bash command blocks
2 findings
🔗
Medium External URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
Medium External URL 外部 URL
https://www.tabnine.com/documentation/
SKILL.md:19

File Tree

1 files · 4.3 KB · 121 lines
Markdown 1f · 121L
└─ 📝 SKILL.md Markdown 121L · 4.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@membranehq/cli latest (unpinned) npm No Not pinned to specific version - latest is used

Security Positives

✓ Documentation-only skill with no hidden executable code
✓ All CLI commands and their purposes are clearly documented
✓ No credential theft indicators or sensitive data access patterns
✓ No obfuscation, base64 payloads, or anti-analysis techniques
✓ No downloads of unverified external scripts
✓ Uses a legitimate, established CLI tool (Membrane) with proper auth handling
✓ Encourages using pre-built actions over raw API calls for better security