memberful

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes the Membrane CLI at runtime (e.g., via "npx @membranehq/cli@latest" / "npm install -g @membranehq/cli@latest"), which fetches and executes remote code from the npm registry (e.g., https://registry.npmjs.org/@membranehq/cli) and is a required runtime dependency—so it can execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated integration for Memberful, a subscription/membership platform that exposes Orders, Subscriptions, Products, Plans, Discounts and related actions. It uses Membrane to discover and run actions (create/update operations) against Memberful, including creating orders/subscriptions and managing billing-related objects. Those are explicit financial commerce operations (selling subscriptions/creating orders/adjusting discounts) that can result in moving money or changing billing state, so this grants direct financial execution capability.