dc-bank

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill requires installing and running the external Membrane CLI ("npm install -g @membranehq/cli@latest", which pulls from the npm registry at https://registry.npmjs.org/@membranehq/cli) and that CLI interacts with the Membrane backend to build/run actions that can deliver remote instructions or execute remote logic at runtime, so the fetched remote code and service responses can directly control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit banking integration (“DC Bank”) and describes managing accounts, transactions, and loans. It uses a connector (dc-bank) via the Membrane CLI to discover and run actions (membrane action run) with JSON inputs. The doc explicitly states customers "make transactions" and provides mechanisms to run actions against the bank connection, which maps to direct banking API operations. Under the core rule this is a banking API integration (explicitly designed to interact with bank accounts/transactions), so it grants Direct Financial Execution capability.