js-stronghold-sdk

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill loads the Stronghold JS SDK at runtime via the script tag "https://api.strongholdpay.com/v2/js", a required dependency that executes remote JavaScript (the drop-in SDK) and therefore runs remote code in the runtime environment.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment integration (Stronghold Pay JS SDK & REST API). It includes front-end and server-side APIs/keys for accepting ACH/bank debits, linking bank accounts (payment sources), creating charges and tips (strongholdPay.charge), generating PayLinks (hosted payment pages), and mentions authorize/capture flows and secret API keys. These are specific, purpose-built financial execution operations (payment gateway / banking API functionality) rather than generic tooling.