pp-lemonsqueezy
Warn
Audited by Snyk on Jun 28, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites require fetching and executing remote code at runtime via npx -y @mvanhorn/printing-press-library (npm package) and go install github.com/mvanhorn/printing-press-library/library/payments/lemonsqueezy/cmd/lemonsqueezy-pp-cli@latest (and the MCP: github.com/mvanhorn/printing-press-library/library/payments/lemonsqueezy/cmd/lemonsqueezy-pp-mcp@latest), which are required installs that execute external code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is a Lemon Squeezy CLI that directly drives a payments platform via its API. It exposes explicit write operations for financial flows:
checkouts create(POST /v1/checkouts),discounts create/delete,subscriptions update/delete(cancel),usage-records create, and an actionablerefund-cascade --applythat disables license keys after a refund. It requires a Lemon Squeezy API key (HTTP Bearer) and supports live POSTing (not just read-only or dry-run). These are specific, payment-related execution capabilities (creating checkouts, managing discounts/subscriptions, recording usage, applying refund actions), so this skill grants direct financial execution authority.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata