by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions and requirements are coherent with a Neonomics integration via the Membrane CLI; it is instruction-only and does not request unrelated credentials, though it does ask you to install/run a third-party npm CLI which you should review before installing.
评估建议
This skill is instruction-only and uses the Membrane CLI to talk to Neonomics, which is coherent with its description. Before installing or running it: 1) verify the @membranehq/cli package on npm and its source repo (confirm it is the official Membrane project) and review recent maintainership and package versions; 2) prefer a local/containerized install or use npx rather than a global -g install if you want to limit system changes; 3) be aware npx/npm packages run code during install/run—only ...详细分析 ▾
ℹ 用途与能力
The skill is a Neonomics integration implemented by instructing the agent to use the Membrane CLI. That matches the stated purpose. Minor inconsistency: the SKILL.md assumes presence of npm/npx and a browser (for login) but the registry metadata lists no required binaries; those runtime dependencies are expected for this workflow and should be noted by the user.
✓ 指令范围
Instructions stay within the scope of interacting with Neonomics via Membrane: install CLI, authenticate with Membrane, create/list connections, run actions, and proxy requests. The doc explicitly advises not to ask users for API keys and relies on Membrane to manage credentials server-side.
ℹ 安装机制
There is no formal install spec in the registry; the SKILL.md tells users to run 'npm install -g @membranehq/cli' and uses 'npx' in examples. Installing a public npm CLI is a typical approach but carries the usual npm risks (a published package can execute arbitrary code). This is not unexpected for a CLI-driven skill, but users should verify the @membranehq/cli package source and integrity before global installation.
✓ 凭证需求
The skill requests no environment variables or credentials in the registry data. The instructions rely on Membrane to manage Neonomics credentials server-side, which is proportionate to the stated purpose.
✓ 持久化与权限
always is false and the skill is user-invocable. It does not request persistent system-level privileges or claim to modify other skills or system agent configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/6
Auto sync from membranedev/application-skills
● 无害
安装命令
点击复制官方npx clawhub@latest install neonomics
镜像加速npx clawhub@latest install neonomics --registry https://cn.longxiaskill.com