mkfast-deploy

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs running "pnpm dlx @better-auth/cli@latest secret" at runtime, which fetches and executes a remote npm package (@better-auth/cli) — this is a runtime-executed external dependency that can execute code and is used as a required step when Better Auth is enabled, so it is flagged.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly detects and handles payment gateway components (mentions Stripe and Creem in dependency checks) and includes concrete deployment/configuration steps for them: "Stripe/Creem live key + price ID + webhook endpoint 配置" and instructions to push live keys via secrets. These are specific payment-gateway integrations (not generic HTTP or CLI only) and therefore meet the criteria for Direct Financial Execution authority.