paperclip-board
Warn
Audited by Snyk on Jul 6, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill exposes explicit API actions that can change budget and approval state: creating/updating companies with budgetMonthlyCents (POST /api/companies, PATCH /api/companies/:id), setting agent budgetMonthlyCents in agent hires (POST /api/companies/:companyId/agent-hires and PATCH /api/agents/:id), and approving/rejecting purchase/approval requests (POST /api/approvals/:id/approve etc.). Those are concrete APIs to modify monetary budgets and approve paid items (example: "Icon library ($12/mo) — requested"), which constitutes direct financial execution authority (ability to change budgets/approve expenditures). Note: no payment-gateway or banking APIs are present, but budget/update and approval endpoints meet the "manage budgets / approve spend" criterion.
Issues (1)
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata