Scan Report
0 /100
medusa-commerce
Medusa Commerce integration — manage data, records, and automate workflows via the Membrane CLI.
A clean, single-file Medusa Commerce integration skill that wraps the legitimate Membrane CLI with no hidden functionality, no credential theft, and no data exfiltration.
Safe to install
This skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md: membrane request proxies API calls through Membrane |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: npm install -g @membranehq/cli, membrane action run, membrane connect |
| Filesystem | NONE | NONE | — | SKILL.md: No filesystem operations declared or performed |
| Environment | NONE | NONE | — | SKILL.md: No environment variable access; credentials handled by Membrane server… |
| Skill Invoke | NONE | NONE | — | No nested skill invocation declared or observed |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | SKILL.md: membrane login opens browser for OAuth flow only; no browser API acces… |
| Database | NONE | NONE | — | No direct database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://docs.medusajs.com/ SKILL.md:19 File Tree
1 files · 4.6 KB · 141 lines Markdown 1f · 141L
└─
SKILL.md
Markdown
Security Positives
✓ Single-file skill with no executable scripts — all behavior is documented in SKILL.md
✓ No credential theft: credentials are managed server-side by Membrane with no local secrets
✓ No data exfiltration: outbound API calls go through Membrane's authenticated proxy
✓ No obfuscation: no base64, no eval, no encoded strings
✓ No hidden functionality: the skill is a thin wrapper around the @membranehq/cli CLI
✓ No sensitive file access: no .ssh, .aws, .env, or similar paths referenced
✓ No supply chain risk: no dependencies declared (CLI is installed from npm registry)
✓ Best practices documented: recommends using pre-built actions over raw API calls