stripe-treasury

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). I flagged the Membrane CLI installation (npm install -g @membranehq/cli@latest — https://www.npmjs.com/package/@membranehq/cli) because the skill requires fetching and installing remote executable code from the npm registry that is then run as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe Treasury integration (a banking-as-a-service product) and exposes domain-specific actions such as FinancialAccount, InboundTransfer, OutboundPayment, and OutboundTransfer. It instructs using the Membrane CLI to create/run actions (membrane action run ...) against a Stripe Treasury connection, including running actions that can move funds (e.g., outbound payments/transfers, "pay bills", manage cash flow). This is a purpose-built financial API integration (not a generic tool), so it grants direct financial execution capability.