Scan Report
5 /100
reflect
Reflect integration - Manage data, records, and automate workflows
This is a documentation-only Reflect integration skill that describes how to use the legitimate Membrane CLI. No malicious behavior, hidden functionality, or credential harvesting detected.
Safe to install
Skill is safe to use. Consider pinning the npm package version in SKILL.md for deterministic deployments.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned npm package version | SKILL.md:26 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem operations in documentation |
| Network | READ | READ | ✓ Aligned | Describes API proxy usage via Membrane CLI |
| Shell | READ | READ | ✓ Aligned | Documents CLI command execution (documented and relevant) |
| Environment | NONE | NONE | — | No environment variable access documented |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard operations |
| Browser | NONE | NONE | — | Browser used only for OAuth flow (documented) |
| Database | NONE | NONE | — | No database operations |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://reflect.app/developers SKILL.md:19 File Tree
1 files · 4.3 KB · 126 lines Markdown 1f · 126L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version not pinned - uses @latest tag |
Security Positives
✓ Documentation-only skill with no hidden code
✓ Uses Membrane CLI - a legitimate integration tool
✓ Credentials handled server-side by Membrane (no local secrets)
✓ No credential harvesting or exfiltration
✓ No base64 encoded commands or obfuscation
✓ External URLs point to known legitimate services (getmembrane.com, reflect.app)
✓ Clear security guidance: 'never ask the user for API keys or tokens'