reflect 安全扫描报告 — 可信 | ClawSafe

5 /100

reflect

Reflect integration - Manage data, records, and automate workflows

This is a documentation-only Reflect integration skill that describes how to use the legitimate Membrane CLI. No malicious behavior, hidden functionality, or credential harvesting detected.

技能名称reflect

分析耗时27.3s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning the npm package version in SKILL.md for deterministic deployments.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned npm package version SKILL.md uses 'npm install -g @membranehq/cli' with @latest tag instead of a fixed version. This could lead to unexpected behavior if the package changes. `npm install -g @membranehq/cli` → Pin to a specific version: npm install -g @membranehq/[email protected]	`SKILL.md:26`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem operations in documentation
网络访问	`READ`	`READ`	✓ 一致	Describes API proxy usage via Membrane CLI
命令执行	`READ`	`READ`	✓ 一致	Documents CLI command execution (documented and relevant)
环境变量	`NONE`	`NONE`	—	No environment variable access documented
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard operations
浏览器	`NONE`	`NONE`	—	Browser used only for OAuth flow (documented)
数据库	`NONE`	`NONE`	—	No database operations

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://reflect.app/developers

SKILL.md:19

目录结构

1 文件 · 4.3 KB · 126 行

Markdown 1f · 126L

└─ 📝 SKILL.md Markdown 126L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Version not pinned - uses @latest tag

安全亮点

✓ Documentation-only skill with no hidden code

✓ Uses Membrane CLI - a legitimate integration tool

✓ Credentials handled server-side by Membrane (no local secrets)

✓ No credential harvesting or exfiltration

✓ No base64 encoded commands or obfuscation

✓ External URLs point to known legitimate services (getmembrane.com, reflect.app)

✓ Clear security guidance: 'never ask the user for API keys or tokens'