turso

Warn

Audited by Socket on Apr 21, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

SUSPICIOUS: The skill's core purpose is plausible, and the npm-installed Membrane CLI appears officially distributed. However, the actual data flow is not a direct Turso integration: authentication, credential storage/refresh, and API proxying all run through Membrane infrastructure. That intermediary design is broader than the stated Turso-only purpose and creates meaningful third-party credential and data exposure, though not enough evidence supports calling it malicious.

Confidence: 87%Severity: 58%
Audit Metadata
Analyzed At
Apr 21, 2026, 08:35 PM
Package URL
pkg:socket/skills-sh/membranedev%2Fapplication-skills%2Fturso%2F@46743af5fd115595c575884230c0a6783b50ba08