中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
suitedash
SuiteDash integration skill using the Membrane CLI for managing Organizations, Clients, Projects, Tasks, and other SuiteDash resources.
This is a straightforward SuiteDash integration skill that uses the Membrane CLI for API interaction; all behavior is fully documented with no hidden functionality or suspicious patterns.
技能名称suitedash
分析耗时33.2s
引擎pi
可以安装
Approve for use. No security concerns beyond standard practices for CLI-based integrations.

安全发现 2 项

严重性 安全发现 位置
低危
Global npm install without version pinning 供应链
The skill instructs `npm install -g @membranehq/cli` without specifying a version (e.g., `@x.y.z`), which could result in a different package version being installed over time.
npm install -g @membranehq/cli
→ Pin to a specific version: `npm install -g @membranehq/cli@latest` or a concrete version tag to ensure reproducible builds.
 SKILL.md:56
低危
Proxy requests allow arbitrary API calls beyond documented actions 文档欺骗
The `membrane request CONNECTION_ID /path/to/endpoint` command allows direct API calls to any SuiteDash path. While documented, this bypasses pre-built action safeguards and could be abused if a connection ID is compromised.
membrane request CONNECTION_ID /path/to/endpoint
→ Document the full scope of allowed API paths or add a warning that this grants broad API access beyond pre-defined actions.
 SKILL.md:104
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md documents `npm install -g @membranehq/cli` and `membrane` CLI invocatio…
网络访问 READ READ ✓ 一致 SKILL.md documents Membrane CLI interacting with SuiteDash API via `membrane req…
文件系统 NONE NONE No file reads or writes observed in SKILL.md
环境变量 NONE NONE SKILL.md explicitly states 'never ask the user for API keys or tokens' and that …
技能调用 NONE NONE No cross-skill invocation observed
2 项发现
🔗
中危 外部 URL 外部 URL
https://getmembrane.com
SKILL.md:7
🔗
中危 外部 URL 外部 URL
https://suitedash.com/university/
SKILL.md:19

目录结构

1 文件 · 5.0 KB · 169 行
Markdown 1f · 169L
└─ 📝 SKILL.md Markdown 169L · 5.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@membranehq/cli not pinned npm Installed globally without version constraint; could resolve to different versions over time

安全亮点

✓ All behavior is explicitly documented in SKILL.md — no hidden functionality
✓ Credentials are handled server-side by Membrane with no local secrets stored
✓ Skill explicitly instructs never to ask users for API keys or tokens
✓ Uses pre-built actions with auth, pagination, and error handling as the preferred method
✓ OAuth-based authentication (browser flow) — no password harvesting risk
✓ No base64, obfuscation, or anti-analysis patterns present
✓ No attempts to access sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No data exfiltration, C2 communication, or credential theft observed