Scan Report
15 /100
pitchly
Pitchly integration for managing data, records, and automating workflows via the Membrane CLI
Documentation-only skill with transparent shell commands for the legitimate Membrane CLI; no hidden code or malicious behavior detected.
Safe to install
Skill is safe to use. Consider pinning the CLI version in production: npm install -g @membranehq/[email protected]
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned npm package version | SKILL.md:36 |
| Info | External service dependencies | SKILL.md:7 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:36 - npm install -g @membranehq/cli |
| Network | READ | READ | ✓ Aligned | SKILL.md:7 - https://getmembrane.com, https://pitchly.com/api/ |
| Filesystem | NONE | NONE | — | N/A - no file operations in skill |
| Environment | NONE | NONE | — | N/A - credentials handled by Membrane server-side |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://pitchly.com/api/ SKILL.md:19 File Tree
1 files · 4.4 KB · 126 lines Markdown 1f · 126L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | * | npm | No | Global install without version pin; verify package authenticity before installation |
Security Positives
✓ Credentials are handled server-side by Membrane with no local secret storage
✓ All shell commands are explicitly declared in documentation
✓ No hidden functionality or obfuscated code present
✓ Uses legitimate Membrane CLI for API interaction
✓ No credential harvesting or environment variable exfiltration
✓ No sensitive paths (~/.ssh, ~/.aws, .env) accessed
✓ No base64, eval, or obfuscated execution patterns
✓ No network requests to IP addresses or suspicious endpoints