Scan Report
5 /100
actindo
Actindo integration for ERP management - product, order, and workflow automation
Legitimate Actindo ERP integration skill using the Membrane CLI for API proxying and OAuth authentication delegation. No malicious behavior detected.
Safe to install
This skill is safe to use. The only minor improvement would be pinning the CLI version (e.g., @membranehq/[email protected]) to ensure reproducibility.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | CLI version not pinned Supply Chain | SKILL.md:32 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations observed |
| Network | READ+WRITE | READ+WRITE | ✓ Aligned | SKILL.md:47 - Uses membrane request for API calls |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:32 - npm install -g and membrane commands |
| Environment | NONE | NONE | — | No direct environment access; credentials handled by Membrane |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | Browser auth delegated to Membrane |
| Database | NONE | NONE | — | No direct database access |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://dev.actindo.com/ SKILL.md:19 File Tree
1 files · 4.8 KB · 150 lines Markdown 1f · 150L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | * | npm | No | Version not pinned |
Security Positives
✓ Documentation is clear and describes all functionality accurately
✓ Credentials are delegated to Membrane (trusted auth provider) - no local credential storage
✓ No credential harvesting or exfiltration observed
✓ No obfuscated code, base64 execution, or suspicious patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden functionality or doc-to-code mismatch
✓ Standard npm CLI tool from a known publisher