Scan Report
0 /100
hellosign
HelloSign integration. Manage Templates, Teams, Accounts. Use when the user wants to interact with HelloSign data.
This is a documentation-only skill providing instructions for using the HelloSign API through the Membrane CLI platform. No malicious code or suspicious behavior detected.
Safe to install
This skill is safe to use. It provides legitimate documentation for HelloSign integration using the Membrane platform.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations referenced in documentation |
| Network | READ | READ | ✓ Aligned | SKILL.md declares HelloSign API integration |
| Shell | NONE | NONE | — | Only documents CLI commands; no inline shell execution in skill |
| Environment | NONE | NONE | — | SKILL.md explicitly states 'never ask for API keys' |
| Skill Invoke | NONE | NONE | — | No sub-skill invocations documented |
| Clipboard | NONE | NONE | — | Not referenced |
| Browser | NONE | NONE | — | Browser used only for OAuth flow, not automated |
| Database | NONE | NONE | — | No database operations |
2 findings
Medium External URL 外部 URL
https://getmembrane.com SKILL.md:7 Medium External URL 外部 URL
https://developers.hellosign.com/api/reference/ SKILL.md:19 File Tree
1 files · 5.5 KB · 140 lines Markdown 1f · 140L
└─
SKILL.md
Markdown
Security Positives
✓ No executable code present - documentation-only skill
✓ Explicitly states 'never ask for API keys' - follows credential security best practices
✓ Uses Membrane platform which handles auth lifecycle server-side
✓ No base64 encoding or obfuscation detected
✓ No credential harvesting or environment variable iteration
✓ No curl|bash or remote script execution patterns
✓ External URLs are legitimate services (getmembrane.com, hellosign.com)
✓ Explicitly recommends using pre-built actions over raw API calls