中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:22 小时前 重新扫描
15 /100
docsgenflow
DocsGenFlow integration. Manage Documents, Users, Workspaces. Use when the user wants to interact with DocsGenFlow data.
This is a legitimate DocsGenFlow integration skill that uses the official Membrane CLI for authentication and API interactions. No malicious behavior, hidden functionality, or credential harvesting detected.
技能名称docsgenflow
分析耗时25.3s
引擎pi
可以安装
The skill is safe to use. No action required beyond standard operational security practices.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned npm dependency 供应链
The npm install command uses a version wildcard which could lead to unexpected behavior if the package is updated with breaking changes.
npm install -g @membranehq/cli
→ Consider pinning to a specific version (e.g., npm install -g @membranehq/[email protected]) for reproducible builds
 SKILL.md:35
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:35-67 - membrane request commands interact with external API
命令执行 WRITE WRITE ✓ 一致 SKILL.md:31 - npm install, membrane CLI commands
文件系统 NONE NONE No file operations in skill
环境变量 NONE NONE No direct environment access; delegated to Membrane CLI
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://docsgen.flowiseai.com/
SKILL.md:19

目录结构

1 文件 · 4.7 KB · 128 行
Markdown 1f · 128L
└─ 📝 SKILL.md Markdown 128L · 4.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli * npm Version not pinned; installed globally via npm

安全亮点

✓ Delegates authentication to Membrane CLI rather than handling credentials directly - reduces local credential exposure
✓ Well-documented with clear usage examples for all operations
✓ Uses official Membrane CLI (@membranehq/cli) - a legitimate, established tool
✓ No credential harvesting or sensitive data access detected
✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques
✓ No hidden functionality or doc-to-code mismatch - what you see is what you get
✓ No network calls to suspicious IPs or data exfiltration channels