ce-cart-checkout

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime CDN script that is fetched and executed in-browser for the managed checkout flow (https://cdn.commercengine.com/v1.js), which constitutes executing remote code as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports payment gateway integration and end-to-end checkout/payment flows. It recommends a Hosted Checkout that "handles the entire purchase flow" including "payment gateway integration", and the custom checkout section documents payment-specific APIs and steps such as sdk.order.createOrder({ cart_id, payment_method }), using payment_info from the order response to process payment, and sdk.order.getPaymentStatus(orderNumber). These are concrete, purpose-built APIs for creating orders and processing payments (i.e., moving money), not generic tooling. Therefore it grants direct financial execution capability.