中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
actindo
Actindo integration for ERP management - product, order, and workflow automation
Legitimate Actindo ERP integration skill using the Membrane CLI for API proxying and OAuth authentication delegation. No malicious behavior detected.
技能名称actindo
分析耗时32.7s
引擎pi
可以安装
This skill is safe to use. The only minor improvement would be pinning the CLI version (e.g., @membranehq/[email protected]) to ensure reproducibility.

安全发现 1 项

严重性 安全发现 位置
低危
CLI version not pinned 供应链
The Membrane CLI is installed via `npm install -g @membranehq/cli` without specifying a version, which could lead to unexpected behavior if the package is updated.
npm install -g @membranehq/cli
→ Consider pinning to a specific version: npm install -g @membranehq/[email protected]
 SKILL.md:32
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations observed
网络访问 READ+WRITE READ+WRITE ✓ 一致 SKILL.md:47 - Uses membrane request for API calls
命令执行 WRITE WRITE ✓ 一致 SKILL.md:32 - npm install -g and membrane commands
环境变量 NONE NONE No direct environment access; credentials handled by Membrane
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE Browser auth delegated to Membrane
数据库 NONE NONE No direct database access
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://dev.actindo.com/
SKILL.md:19

目录结构

1 文件 · 4.8 KB · 150 行
Markdown 1f · 150L
└─ 📝 SKILL.md Markdown 150L · 4.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli * npm Version not pinned

安全亮点

✓ Documentation is clear and describes all functionality accurately
✓ Credentials are delegated to Membrane (trusted auth provider) - no local credential storage
✓ No credential harvesting or exfiltration observed
✓ No obfuscated code, base64 execution, or suspicious patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden functionality or doc-to-code mismatch
✓ Standard npm CLI tool from a known publisher