paddle

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill loads and executes remote JavaScript at runtime from https://cdn.paddle.com/paddle/v2/paddle.js (inserted in useEffect / ), which is a required dependency for the checkout flow and thus executes remote code in the agent's runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment gateway integration (Paddle). It provides frontend checkout flows (Paddle.Checkout.open), server-side SDK calls to create products/prices, list and retrieve transactions, create customers, and full subscription management (create/update/pause/resume/cancel) plus payment-method update links and webhook handling for transaction events. These are specific, purpose-built financial operations (processing payments, managing subscriptions/transactions), not generic tooling. This meets the "Payment Gateways" criterion for Direct Financial Execution.