paperclip-board
Warn
Audited by Snyk on Jun 14, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill exposes explicit endpoints and payload fields to set and modify budgets and approvals: e.g., creating/updating a company with "budgetMonthlyCents" (POST /api/companies, PATCH /api/companies/:id), setting agent budgets via "budgetMonthlyCents" in agent-hire (POST /api/companies/:companyId/agent-hires), and approval endpoints (POST /api/approvals/:id/approve) used to approve items like paid tools ("Icon library ($12/mo)"). These are concrete APIs for changing budget values and approving paid items (not just read-only views), which constitutes direct financial execution authority per the policy.
Issues (1)
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata