orbisx

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill requires running the Membrane CLI (e.g., "npm install -g @membranehq/cli@latest" or "npx @membranehq/cli@latest ..."), which will fetch and execute remote code from the npm registry (e.g., https://www.npmjs.com/package/@membranehq/cli) at runtime and is a required dependency for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is an integration for OrbisX — a business platform that explicitly lists financial entities and actions (Invoice, Payment, Refund, Subscription, Recurring Invoice, Purchase Order, Credit Note, etc.). It uses the Membrane CLI to discover and run connector actions (membrane action run), and Membrane handles auth/credentials, meaning the agent can invoke pre-built or custom actions that create payments, refunds, subscriptions, or other money-moving operations. This is not merely a generic browser or HTTP tool; the integration is explicitly designed to manage financial operations and can execute transactional actions via the connector, so it grants direct financial execution capability.