suitedash Security Report — Low Risk | ClawSafe

15 /100

suitedash

SuiteDash integration skill using the Membrane CLI for managing Organizations, Clients, Projects, Tasks, and other SuiteDash resources.

This is a straightforward SuiteDash integration skill that uses the Membrane CLI for API interaction; all behavior is fully documented with no hidden functionality or suspicious patterns.

Skill Namesuitedash

Duration33.2s

Enginepi

✓

Safe to install

Approve for use. No security concerns beyond standard practices for CLI-based integrations.

Findings 2 items

Severity	Finding	Location
Low	Global npm install without version pinning Supply Chain The skill instructs `npm install -g @membranehq/cli` without specifying a version (e.g., `@x.y.z`), which could result in a different package version being installed over time. `npm install -g @membranehq/cli` → Pin to a specific version: `npm install -g @membranehq/cli@latest` or a concrete version tag to ensure reproducible builds.	`SKILL.md:56`
Low	Proxy requests allow arbitrary API calls beyond documented actions Doc Mismatch The `membrane request CONNECTION_ID /path/to/endpoint` command allows direct API calls to any SuiteDash path. While documented, this bypasses pre-built action safeguards and could be abused if a connection ID is compromised. `membrane request CONNECTION_ID /path/to/endpoint` → Document the full scope of allowed API paths or add a warning that this grants broad API access beyond pre-defined actions.	`SKILL.md:104`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md documents `npm install -g @membranehq/cli` and `membrane` CLI invocatio…
Network	`READ`	`READ`	✓ Aligned	SKILL.md documents Membrane CLI interacting with SuiteDash API via `membrane req…
Filesystem	`NONE`	`NONE`	—	No file reads or writes observed in SKILL.md
Environment	`NONE`	`NONE`	—	SKILL.md explicitly states 'never ask the user for API keys or tokens' and that …
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation observed

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://suitedash.com/university/

SKILL.md:19

File Tree

1 files · 5.0 KB · 169 lines

Markdown 1f · 169L

└─ 📝 SKILL.md Markdown 169L · 5.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`not pinned`	npm	No	Installed globally without version constraint; could resolve to different versions over time

Security Positives

✓ All behavior is explicitly documented in SKILL.md — no hidden functionality

✓ Credentials are handled server-side by Membrane with no local secrets stored

✓ Skill explicitly instructs never to ask users for API keys or tokens

✓ Uses pre-built actions with auth, pagination, and error handling as the preferred method

✓ OAuth-based authentication (browser flow) — no password harvesting risk

✓ No base64, obfuscation, or anti-analysis patterns present

✓ No attempts to access sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration, C2 communication, or credential theft observed

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives