community-ff-mcp

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisite instructs running "npx -y community-ff-mcp" (which fetches and executes the remote npm package community-ff-mcp from the npm registry at runtime), making it a required runtime dependency that downloads and runs external code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly surfaces payment gateway configuration via the get_in_app_purchases tool (mentions Stripe, Braintree, RevenueCat, Razorpay). It exposes project integration/config endpoints and supports pushing validated YAML back with update_project_yaml, so it can read and modify payment gateway/in-app-purchase settings. This is a specific, finance-related capability (payment gateways) rather than a generic tool, so it meets the "Direct Financial Execution" flag criteria.