by 安全扫描
OpenClaw
安全
high confidenceThe skill is an instruction-only integration that uses the Membrane CLI to interact with Semgrep and its instructions, requirements, and actions are coherent with that purpose.
评估建议
This skill uses the Membrane service and its CLI to act on Semgrep data. Before installing or following the instructions: (1) recognize you'll need to install a third-party npm package globally (@membranehq/cli) and authenticate via Membrane — review that package's origin and permissions; (2) actions and proxy requests will send data (scan details, repository info, possibly findings and secrets) through Membrane's servers, so ensure you trust Membrane's privacy and access policies before grantin...详细分析 ▾
✓ 用途与能力
The skill claims to integrate with Semgrep and all runtime instructions focus on using the Membrane CLI to list connections, run actions, and proxy API calls to Semgrep. Requesting a Membrane account and network access aligns with this purpose; no unrelated credentials or binaries are requested.
ℹ 指令范围
Instructions are limited to installing the Membrane CLI, logging in, creating connections, listing actions, running actions, and optionally proxying raw API requests via Membrane. The proxy behavior means requests and (potentially) repository/scan data will flow through Membrane's service — this is consistent with the stated design but is a privacy/third-party-data-flow consideration rather than a scope violation.
ℹ 安装机制
There is no automated install spec in the registry; the SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. That is a normal way to obtain the Membrane CLI but does require installing a third-party npm package globally (moderate risk if you don't trust the package source).
✓ 凭证需求
The skill declares no environment variables or local config access. It relies on Membrane to manage authentication server-side, which is proportional to its design. The lack of requested local secrets is appropriate.
✓ 持久化与权限
The skill is instruction-only, has no install-time persistence, and 'always' is false. It does not request elevated platform privileges or modify other skills/configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install semgrep
镜像加速npx clawhub@latest install semgrep --registry https://cn.longxiaskill.com