Scan Report
15 /100
lumigo
Lumigo integration skill for cloud observability platform interaction
This is a documentation-style skill that uses the Membrane CLI for Lumigo integration with no malicious behavior detected, though npm install lacks version pinning.
Safe to install
Pin the CLI version to prevent unexpected updates: `npm install -g @membranehq/[email protected]`
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned npm dependency Supply Chain | SKILL.md:25 |
| Low | Network access not declared in capability requirements Doc Mismatch | SKILL.md:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | READ | WRITE | ✓ Aligned | SKILL.md:25 - npm install -g requires shell WRITE |
| Network | NONE | READ | ✓ Aligned | SKILL.md:45-80 - API requests through Membrane proxy |
| Filesystem | NONE | NONE | — | No filesystem operations declared or used |
| Environment | NONE | NONE | — | Membrane handles auth; no env var access |
| credential_theft | NONE | NONE | — | No credential harvesting; delegated to Membrane OAuth |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://lumigo.io/docs/ SKILL.md:19 File Tree
1 files · 4.6 KB · 135 lines Markdown 1f · 135L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | * | npm | No | No version pinned - latest will be installed |
Security Positives
✓ No credential harvesting or exfiltration detected
✓ No base64-encoded or obfuscated code
✓ No shell command injection vectors
✓ Authentication uses browser-based OAuth, not storing secrets locally
✓ Documentation accurately describes all functionality
✓ No direct API key or token handling by the skill
✓ Uses established Membrane platform for credential management