iblai-vibe-monetization-subscription
Warn
Audited by Snyk on Jul 7, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching the live OpenAPI schema at https://api.iblai.app/dm/api/docs/schema/ during runtime (curl in SKILL.md) to validate and drive API endpoint/method/body decisions, so that remote content directly controls the agent's API-calling behavior.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly integrates with billing/payment endpoints and Stripe: it documents a POST subscription cancel endpoint, exposes a cancel mutation (useCancelSubscriptionMutation) that can immediately cancel subscriptions (changing status and canceled_at) or return a Stripe Customer Portal URL (portal_url) to perform cancellations inside Stripe. These are specific payment gateway operations (Stripe customer portal creation and subscription cancellation), so the skill grants direct financial-execution capability.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata