duffel

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The Duffel skill includes explicit endpoints and request bodies to create orders/bookings with a payments[] field (amount, currency, payment type drawn from a Duffel account balance), plus endpoints to confirm cancellations (processing refunds). Those are specific API operations that initiate payments and refunds — i.e., direct financial execution — not just generic HTTP or browser actions. Therefore it should be flagged.