by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent: it delegates Lightstep access to the Membrane CLI and requires a Membrane account, does not ask for unrelated secrets, and contains only runtime instructions — but it requires installing an npm CLI and trusting Membrane with your Lightstep auth and proxied requests.
评估建议
This skill appears coherent, but before installing or using it: 1) Verify you trust Membrane (getmembrane.com/@membranehq) because their service will handle your Lightstep auth and see proxied requests/responses. 2) Inspect the @membranehq/cli npm package and its GitHub repo (verify publisher, recent commits, and issues) before running 'npm install -g'. 3) Review OAuth scopes/consent when you authenticate so you understand what access is granted to Membrane. 4) If handling sensitive production d...详细分析 ▾
✓ 用途与能力
The name/description (Lightstep integration) matches the instructions: the skill instructs use of the Membrane CLI to connect to Lightstep, list actions, run actions, and proxy API requests. Requiring a Membrane account is consistent with this design.
ℹ 指令范围
All runtime instructions are about installing and using the @membranehq/cli, logging in, creating a connector, listing/running actions, and proxying requests to Lightstep. The instructions explicitly delegate authentication and credential refresh to Membrane — this is expected for a proxy-based integration, but it means Membrane will see Lightstep credentials and proxied request/response data, which is a privacy/trust consideration.
ℹ 安装机制
There is no automated install spec in the registry, but SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. Installing an npm CLI globally is a common pattern but carries moderate risk: you should verify the package publisher, repository, and package contents before installing and running it with network access.
✓ 凭证需求
The skill does not request environment variables, tokens, or file paths. It explicitly advises against asking users for API keys and instead to create a connection through Membrane, which is proportionate to the stated purpose.
✓ 持久化与权限
The skill is instruction-only, has always:false, and does not ask to modify other skills or system-wide settings. It does not request persistent privileges beyond installing and running the Membrane CLI under user control.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install lightstep
镜像加速npx clawhub@latest install lightstep --registry https://cn.longxiaskill.com镜像同步中