扫描报告
10 /100
tabnine
Tabnine integration via Membrane CLI for AI code completion management
This is a documentation-only skill wrapping the legitimate Membrane CLI for Tabnine integration. No executable code or scripts are present; all functionality is declared in SKILL.md.
可以安装
No immediate action required. If executing this skill, ensure the Membrane CLI is installed from the official npm registry and verify its integrity.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package dependency 供应链 | SKILL.md:22 |
| 提示 | Capabilities not formally declared 文档欺骗 | SKILL.md:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ | ✓ 一致 | SKILL.md:32 bash scripts may read files |
| 网络访问 | NONE | READ | ✓ 一致 | SKILL.md:22 npm install + membrane CLI network calls |
| 命令执行 | NONE | WRITE | ✓ 一致 | SKILL.md:32-70 multiple bash command blocks |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://www.tabnine.com/documentation/ SKILL.md:19 目录结构
1 文件 · 4.3 KB · 121 行 Markdown 1f · 121L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | latest (unpinned) | npm | 否 | Not pinned to specific version - latest is used |
安全亮点
✓ Documentation-only skill with no hidden executable code
✓ All CLI commands and their purposes are clearly documented
✓ No credential theft indicators or sensitive data access patterns
✓ No obfuscation, base64 payloads, or anti-analysis techniques
✓ No downloads of unverified external scripts
✓ Uses a legitimate, established CLI tool (Membrane) with proper auth handling
✓ Encourages using pre-built actions over raw API calls for better security