modern-treasury

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing/running the Membrane CLI at runtime (npm install -g @membranehq/cli and npx @membranehq/cli@latest), which fetches and executes remote code from the @membranehq/cli npm package (https://www.npmjs.com/package/@membranehq/cli), and the skill relies on that CLI as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit integration with Modern Treasury — a payments and money-movement platform — and exposes domain-specific actions such as "Payment Orders", "Return of Funds", "Reversals", "Ledger Transactions", "Routes", and other payment-related objects. It instructs use of the Membrane CLI to create and run actions (membrane action create / membrane action run) in the context of a Modern Treasury connection, with Membrane handling authentication. Those capabilities are specifically designed to initiate and manage financial operations (sending/returning/reversing payments, manipulating ledger entries), not generic tooling. Therefore it provides direct financial execution authority.