payram-crypto-payments

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs running an external MCP server fetched from the repository https://github.com/PayRam/payram-helper-mcp-server (git clone ... && yarn dev), which downloads and executes remote code at runtime and provides tools that can control agent behavior, so this URL is a runtime dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is explicitly a self-hosted crypto/stablecoin payment gateway and includes tools and endpoints to accept payments, generate deposit addresses, perform smart-contract "sweeps" to cold wallets, and send crypto payouts. It lists a payram-payouts capability, scaffolds apps with "payment creation" and "payout endpoints", and exposes MCP tools for generating payment SDK snippets, webhook handlers, and testing connections. Those are purpose-built mechanisms to move and manage funds (crypto transactions and payouts), not generic utilities.