Scan Report
5 /100
workfront
Workfront integration. Manage data, records, and automate workflows. Use when the user wants to interact with Workfront data.
Pure documentation-only skill that guides users through legitimate CLI commands for Workfront integration via the Membrane SDK. No executable code present; all operations are visible shell commands the user can inspect.
Safe to install
No action required. The skill is safe to use. The declared shell:WRITE permission is appropriate for npm install and CLI command execution.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Excessive repetitive content Doc Mismatch | SKILL.md:80 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md documents npm install -g @membranehq/cli and membrane CLI commands |
| Network | READ | READ | ✓ Aligned | SKILL.md references https://experienceleague.adobe.com/docs/workfront.html for d… |
| Filesystem | NONE | NONE | — | No file operations documented or required |
| Environment | NONE | NONE | — | No environment variable access documented |
| credential_theft | NONE | NONE | — | SKILL.md explicitly says 'never ask for API keys' and delegates auth to Membrane… |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://experienceleague.adobe.com/docs/workfront.html SKILL.md:19 File Tree
1 files · 46.2 KB · 469 lines Markdown 1f · 469L
└─
SKILL.md
Markdown
Security Positives
✓ No executable code present — purely a documentation file
✓ No obfuscation, base64, or hidden commands
✓ No credential harvesting — explicitly delegates auth to the Membrane SDK
✓ All shell commands are explicitly documented and user-visible
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No network exfiltration or C2 communication patterns
✓ Uses a legitimate, publicly known SDK (@membranehq/cli)
✓ No supply chain risk — no dependencies or scripts included