cronofy 安全扫描报告 — 可信 | ClawSafe

5 /100

cronofy

Cronofy integration for scheduling automation and calendar management via Membrane CLI

This is a pure documentation skill with no executable code. It describes a legitimate Cronofy calendar API integration using the official Membrane CLI tool.

技能名称cronofy

分析耗时22.3s

引擎pi

✓

可以安装

This skill is safe to use. No additional security controls needed beyond standard network and shell access requirements.

安全发现 1 项

严重性	安全发现	位置
低危	CLI dependency without version pinning The SKILL.md instructs users to install @membranehq/cli globally without specifying a version, which could lead to unexpected updates. `npm install -g @membranehq/cli` → Consider pinning to a specific version: npm install -g @membranehq/cli@latest	`SKILL.md:29`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:45 - membrane request CONNECTION_ID /path/to/endpoint
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:29-32 - npm install -g and membrane login commands
文件系统	`NONE`	`NONE`	—	No file operations described
环境变量	`NONE`	`NONE`	—	No environment variable access mentioned

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://developers.cronofy.com/

SKILL.md:19

目录结构

1 文件 · 4.4 KB · 127 行

Markdown 1f · 127L

└─ 📝 SKILL.md Markdown 127L · 4.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`*`	npm	否	Version not pinned in documentation

安全亮点

✓ No executable code present - pure documentation skill

✓ Explicitly instructs to never collect user API keys - uses Membrane's credential management

✓ Uses official Membrane CLI tool with documented behavior

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env references)

✓ No base64 encoding, eval(), or obfuscated payloads

✓ No credential harvesting patterns

✓ No remote script execution (curl|bash, wget|sh)

✓ Legitimate Cronofy API integration documented with official developer docs