zoho-invoice

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires fetching and executing remote code at runtime via npm/npx (npm install -g @membranehq/cli@latest and npx @membranehq/cli@latest), so the @membranehq/cli package is a runtime external dependency that will download and run remote code required by the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated Zoho Invoice integration (an invoicing/payment product) and explicitly exposes finance-specific objects and operations — e.g., Invoice, Recurring Invoice, Credit Note, Payment, Expense — and describes accepting online payments. It uses the Membrane CLI to discover and run connector actions against Zoho Invoice, which can include creating/recording payments and managing invoices (i.e., operations that create or record money movements or trigger payment acceptance). This is a purpose-built financial integration (not a generic browser/API tool), so it grants direct financial execution capability.