扫描报告
15 /100
pitchly
Pitchly integration for managing data, records, and automating workflows via the Membrane CLI
Documentation-only skill with transparent shell commands for the legitimate Membrane CLI; no hidden code or malicious behavior detected.
可以安装
Skill is safe to use. Consider pinning the CLI version in production: npm install -g @membranehq/[email protected]
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package version | SKILL.md:36 |
| 提示 | External service dependencies | SKILL.md:7 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:36 - npm install -g @membranehq/cli |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:7 - https://getmembrane.com, https://pitchly.com/api/ |
| 文件系统 | NONE | NONE | — | N/A - no file operations in skill |
| 环境变量 | NONE | NONE | — | N/A - credentials handled by Membrane server-side |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://pitchly.com/api/ SKILL.md:19 目录结构
1 文件 · 4.4 KB · 126 行 Markdown 1f · 126L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | * | npm | 否 | Global install without version pin; verify package authenticity before installation |
安全亮点
✓ Credentials are handled server-side by Membrane with no local secret storage
✓ All shell commands are explicitly declared in documentation
✓ No hidden functionality or obfuscated code present
✓ Uses legitimate Membrane CLI for API interaction
✓ No credential harvesting or environment variable exfiltration
✓ No sensitive paths (~/.ssh, ~/.aws, .env) accessed
✓ No base64, eval, or obfuscated execution patterns
✓ No network requests to IP addresses or suspicious endpoints