orbisx

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs runtime use of the Membrane CLI (e.g., "npx @membranehq/cli@latest" and "npm install -g @membranehq/cli"), which fetches and executes remote code from the npm registry and is a required dependency for running actions, so it meets the criteria for a runtime-executed external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes financial entities and operations (Payment, Refund, Invoice, Recurring Invoice, Subscription, Purchase Order, Expense, Credit Note, etc.) and provides concrete ways to invoke OrbisX API actions via the Membrane CLI or Membrane proxy (including POST/PUT/PATCH/DELETE). That combination permits creating/refunding payments and managing billing objects programmatically — i.e., executing financial transactions. Although the interface uses a generic proxy/CLI, the documented action types are specific to payments and refunds, so this is capable of direct financial execution.