by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says (PipelineCRM integration via Membrane), but consider the following before installing:
- Trust & data flow: Using this skill sends CRM requests through Membrane (getmembrane.com). That means your PipelineCRM data and API traffic will be proxied by a third party. Review Membrane's privacy/security policies and confirm you trust the service.
- Installation: SKILL.md tells you to install @membranehq/cli from npm (or use npx), but the registry metadata omitted t...详细分析 ▾
✓ 用途与能力
Name/description match the instructions: the skill integrates with PipelineCRM via the Membrane CLI and PipelineCRM API proxy. The actions and workflows described (connectors, actions, proxy requests) are consistent with a CRM integration.
ℹ 指令范围
Runtime instructions are focused on using the Membrane CLI to authenticate, discover actions, run actions, and proxy arbitrary PipelineCRM API requests. They do not ask the agent to read unrelated local files or secrets. Important note: requests and data are routed through Membrane's service (a third-party proxy), so CRM data will be transmitted to/get processed by that external service.
ℹ 安装机制
There is no formal install spec in the registry metadata, but the SKILL.md directs the user to install an npm package (npm install -g @membranehq/cli) or use npx. Installing a global npm package is a normal but privileged action (may require elevated permissions). The install source is the public npm registry (moderate risk) and is expected for this purpose, but the mismatch between declared 'no install' and the documented install step is an inconsistency.
ℹ 凭证需求
The registry lists no required env vars or credentials, but the SKILL.md clearly requires a Membrane account and browser-based login (credentials managed by the Membrane CLI). The skill does not request unrelated credentials, but it does rely on an external service to store/manage auth — users should be aware of that and of any data the proxy will see.
✓ 持久化与权限
The skill does not request always: true and has no special persistence or system-wide privileges. The Membrane CLI will persist its own auth/config locally (normal behavior for a CLI) but the skill does not request modifying other skills or system configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/4
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install pipeline-crm
镜像加速npx clawhub@latest install pipeline-crm --registry https://cn.longxiaskill.com