morpho-cli

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs users to run "npx @morpho-org/cli@latest" at runtime, which fetches and executes remote npm package code (remote execution of code requested during skill operation), so this external dependency directly executes code and is required.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a CLI for interacting with the Morpho lending protocol on Ethereum/Base and provides targeted, domain-specific commands to prepare on-chain financial operations: prepare-deposit, prepare-withdraw, prepare-supply, prepare-borrow, prepare-repay, prepare-supply-collateral, prepare-withdraw-collateral, plus simulate-transactions. These commands build unsigned transaction payloads (including handling allowances/approvals and running simulations) for moving assets, borrowing, repaying, and managing collateral. This is a specific crypto/blockchain financial tool (not a generic API caller or browser automation), so it meets the criteria for direct financial execution capability even though it returns unsigned payloads.