Scan Report
5 /100
cronofy
Cronofy integration for scheduling automation and calendar management via Membrane CLI
This is a pure documentation skill with no executable code. It describes a legitimate Cronofy calendar API integration using the official Membrane CLI tool.
Safe to install
This skill is safe to use. No additional security controls needed beyond standard network and shell access requirements.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | CLI dependency without version pinning | SKILL.md:29 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md:45 - membrane request CONNECTION_ID /path/to/endpoint |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:29-32 - npm install -g and membrane login commands |
| Filesystem | NONE | NONE | — | No file operations described |
| Environment | NONE | NONE | — | No environment variable access mentioned |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developers.cronofy.com/ SKILL.md:19 File Tree
1 files · 4.4 KB · 127 lines Markdown 1f · 127L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | * | npm | No | Version not pinned in documentation |
Security Positives
✓ No executable code present - pure documentation skill
✓ Explicitly instructs to never collect user API keys - uses Membrane's credential management
✓ Uses official Membrane CLI tool with documented behavior
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env references)
✓ No base64 encoding, eval(), or obfuscated payloads
✓ No credential harvesting patterns
✓ No remote script execution (curl|bash, wget|sh)
✓ Legitimate Cronofy API integration documented with official developer docs