zoho-commerce

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs running npx/npm to fetch and execute the @membranehq/cli package at runtime (e.g., npx @membranehq/cli@latest which pulls code from the npm registry: https://registry.npmjs.org/@membranehq/cli), so remote code is executed and the skill depends on that external package.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit Zoho Commerce e-commerce integration that lists "Payment Gateway" and describes capabilities to "process orders" and "accept payments." It exposes Membrane CLI actions and proxying to the Zoho Commerce API (with ability to run HTTP methods and action runs), which can be used to perform payment-related operations (e.g., processing payments, managing gateways, creating orders). This is a specific financial execution capability rather than a generic tool, so it can directly move money or trigger payment workflows.