woovi

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires installing/ running the Membrane CLI (npm install -g @membranehq/cli and npx @membranehq/cli@latest), which at runtime fetches and executes code from the npm registry (e.g. https://registry.npmjs.org/@membranehq/cli), so remote code from that URL can directly execute and control behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated integration for Woovi, a payment-link/payment gateway service, and explicitly exposes payment-related actions (e.g., "Charge" / "Checkout"). It documents running Membrane actions and proxying requests to Woovi's API (including POST/PUT/etc.), and Membrane handles auth/credential refresh — enabling the agent to create or execute payment-related operations directly. This is a specific financial integration (payment gateway), not a generic tool, so it grants direct financial execution capability.