Scan Report
5 /100
graphql-editor
GraphQL Editor integration via Membrane CLI for managing data, records, and workflow automation
Documentation-only skill describing legitimate use of Membrane CLI for GraphQL Editor integration; no executable code present and all described behavior is declared.
Safe to install
No action required. Skill is a documentation file describing approved CLI tool usage. Consider pinning @membranehq/cli to a specific version for reproducible builds.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned CLI version Supply Chain | SKILL.md:34 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:34 - npm install -g @membranehq/cli |
| Network | READ | READ | ✓ Aligned | SKILL.md:58 - membrane request proxy for API calls |
| Filesystem | NONE | NONE | — | No file operations described |
| Environment | NONE | NONE | — | No env access described |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://graphql-editor.com/docs SKILL.md:19 File Tree
1 files · 4.4 KB · 128 lines Markdown 1f · 128L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@membranehq/cli | latest | npm | No | Version not pinned - uses @latest |
Security Positives
✓ All described behavior is documented and transparent
✓ Uses legitimate third-party CLI from established vendor (MembraneHQ)
✓ No credential harvesting - uses OAuth/browser-based auth flow
✓ No base64-encoded payloads or obfuscation
✓ No sensitive file or path access
✓ Documentation clearly explains the security model (Membrane handles credentials server-side)
✓ No network connections to unknown IPs - uses Membrane's proxy infrastructure