by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is coherent, but before installing or using it: (1) Confirm you trust the Membrane service (@membranehq) because the workflow gives Membrane proxy access to ShipWorks data; review their privacy/terms and the package on npm/github. (2) Prefer using npx or a non-global install (or a container) to avoid an untrusted global npm package. (3) Expect an interactive browser-based login flow (or a copy-paste code for headless environments). (4) If you need stricter control, inspect the Membran...详细分析 ▾
✓ 用途与能力
The skill describes ShipWorks operations and consistently instructs the agent to use the Membrane CLI and Membrane connections to access ShipWorks; requiring a CLI and network access is appropriate for this integration.
✓ 指令范围
SKILL.md stays on-topic: it instructs installing and using the Membrane CLI, creating/listing connections, running actions, and proxying API requests. It does not ask to read unrelated local files or environment variables, nor to exfiltrate data to unexpected endpoints.
ℹ 安装机制
The instructions recommend installing a third-party npm CLI (@membranehq/cli) globally. This is proportionate to the task, but installing a public npm package requires trusting that package/provider; the registry entry itself does not perform the install.
✓ 凭证需求
No environment variables, credentials, or config paths are requested by the skill. The docs explicitly state Membrane manages auth server-side, which aligns with the described workflow.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system config, and is user-invocable. Default autonomous invocation is allowed by platform policy and does not by itself raise concerns here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/8
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install shipworks
镜像加速npx clawhub@latest install shipworks --registry https://cn.longxiaskill.com镜像同步中