inplayer

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs users to install and run the external Membrane CLI (e.g., "npm install -g @membranehq/cli@latest" and "npx @membranehq/cli@latest"), which fetches and executes remote package code from the npm registry at runtime, and the skill relies on that CLI as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an integration for InPlayer, a video monetization platform, and explicitly exposes financial-related resources and actions: Transaction, Subscription, Price, Checkout Form, Voucher, Customer, etc. It uses Membrane to discover and run connector actions (membrane action run ... --input ...), which would allow invoking operations such as creating transactions, managing subscriptions, or updating prices/checkout — i.e., executing payment-related operations. Because the skill's primary and explicit domain is monetization/payment management (not a generic browser or HTTP tool), it qualifies as direct financial execution capability.