by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions, requirements, and actions are consistent with a Kong integration implemented via the Membrane CLI; nothing requested appears disproportionate to its stated purpose, though installing a third-party npm CLI and relying on an external service (Membrane) requires the usual trust checks.
评估建议
This skill appears coherent and does what it says: it uses the Membrane CLI to connect to Kong. Before installing or using it: (1) verify you trust getmembrane.com and the npm package @membranehq/cli (check the package publisher, GitHub repo, and recent releases); (2) avoid running global npm installs on sensitive or locked-down machines without review; (3) confirm your organization’s policy for delegating API credentials to a third-party service—Membrane will manage connections and may store/sc...详细分析 ▾
✓ 用途与能力
The name/description (Kong integration) match the runtime instructions, which explain using the Membrane CLI to connect to Kong, discover and run actions, and let Membrane manage auth. The requested capabilities (network access, Membrane account, Membrane CLI) are coherent with the stated purpose.
✓ 指令范围
SKILL.md stays on-topic: it instructs installing and using the Membrane CLI, logging in, creating a connection to the Kong connector, listing/creating/running actions, and best practices. It does not instruct the agent to read unrelated files or environment variables, nor to exfiltrate data to unexpected endpoints beyond Membrane.
ℹ 安装机制
There is no packaged installer in the registry metadata (instruction-only), but the README tells users to run a global npm install of @membranehq/cli. That is reasonable for a CLI-based integration but raises the usual supply-chain/trust considerations for third-party npm packages.
✓ 凭证需求
The skill declares no required environment variables or credentials and relies on Membrane's interactive/browser login flow. This is proportionate to the goal of delegating auth to Membrane; no unrelated secrets are requested.
✓ 持久化与权限
The skill is not always-enabled and does not request system-level persistence or modify other skills. Autonomous invocation remains possible (platform default), which is expected and not elevated here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install kong
镜像加速npx clawhub@latest install kong --registry https://cn.longxiaskill.com镜像同步中