graphql-editor 安全扫描报告 — 可信 | ClawSafe

5 /100

graphql-editor

GraphQL Editor integration via Membrane CLI for managing data, records, and workflow automation

Documentation-only skill describing legitimate use of Membrane CLI for GraphQL Editor integration; no executable code present and all described behavior is declared.

技能名称graphql-editor

分析耗时34.7s

引擎pi

✓

可以安装

No action required. Skill is a documentation file describing approved CLI tool usage. Consider pinning @membranehq/cli to a specific version for reproducible builds.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned CLI version 供应链 The skill instructs users to install @membranehq/cli@latest, which may resolve to different versions over time and introduce unexpected changes. `npm install -g @membranehq/cli` → Pin to a specific version (e.g., npm install -g @membranehq/[email protected]) for reproducible environments.	`SKILL.md:34`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:34 - npm install -g @membranehq/cli
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:58 - membrane request proxy for API calls
文件系统	`NONE`	`NONE`	—	No file operations described
环境变量	`NONE`	`NONE`	—	No env access described
技能调用	`NONE`	`NONE`	—	No cross-skill invocation

2 项发现

🔗

中危外部 URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://graphql-editor.com/docs

SKILL.md:19

目录结构

1 文件 · 4.4 KB · 128 行

Markdown 1f · 128L

└─ 📝 SKILL.md Markdown 128L · 4.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@membranehq/cli`	`latest`	npm	否	Version not pinned - uses @latest

安全亮点

✓ All described behavior is documented and transparent

✓ Uses legitimate third-party CLI from established vendor (MembraneHQ)

✓ No credential harvesting - uses OAuth/browser-based auth flow

✓ No base64-encoded payloads or obfuscation

✓ No sensitive file or path access

✓ Documentation clearly explains the security model (Membrane handles credentials server-side)

✓ No network connections to unknown IPs - uses Membrane's proxy infrastructure