扫描报告
15 /100
lumigo
Lumigo integration skill for cloud observability platform interaction
This is a documentation-style skill that uses the Membrane CLI for Lumigo integration with no malicious behavior detected, though npm install lacks version pinning.
可以安装
Pin the CLI version to prevent unexpected updates: `npm install -g @membranehq/[email protected]`
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm dependency 供应链 | SKILL.md:25 |
| 低危 | Network access not declared in capability requirements 文档欺骗 | SKILL.md:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | READ | WRITE | ✓ 一致 | SKILL.md:25 - npm install -g requires shell WRITE |
| 网络访问 | NONE | READ | ✓ 一致 | SKILL.md:45-80 - API requests through Membrane proxy |
| 文件系统 | NONE | NONE | — | No filesystem operations declared or used |
| 环境变量 | NONE | NONE | — | Membrane handles auth; no env var access |
| 凭证访问 | NONE | NONE | — | No credential harvesting; delegated to Membrane OAuth |
2 项发现
中危 外部 URL 外部 URL
https://getmembrane.com SKILL.md:7 中危 外部 URL 外部 URL
https://lumigo.io/docs/ SKILL.md:19 目录结构
1 文件 · 4.6 KB · 135 行 Markdown 1f · 135L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@membranehq/cli | * | npm | 否 | No version pinned - latest will be installed |
安全亮点
✓ No credential harvesting or exfiltration detected
✓ No base64-encoded or obfuscated code
✓ No shell command injection vectors
✓ Authentication uses browser-based OAuth, not storing secrets locally
✓ Documentation accurately describes all functionality
✓ No direct API key or token handling by the skill
✓ Uses established Membrane platform for credential management