paypal-integration
Warn
Audited by Snyk on Mar 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill loads the PayPal JavaScript SDK at runtime via the CDN URL (e.g. https://www.paypal.com/sdk/js?client-id=YOUR_CLIENT_ID¤cy=USD&intent=capture&components=buttons), which fetches and executes third-party JavaScript in-page and is required for rendering/operating the PayPal buttons.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to integrate with a payment gateway (PayPal Commerce Platform). It includes concrete, specific instructions and code for creating PayPal orders, capturing payments via the Orders API v2, configuring client ID/secret and sandbox credentials, handling webhooks for PAYMENT.CAPTURE events, and enabling Venmo / Pay Later. These are direct payment-execution primitives (create order, capture payment, manage API credentials) — i.e., tools to move money.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata