whop-payments-network

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs clients to include and run the remote checkout script (required for the Vanilla JS embed) from https://js.whop.com/static/checkout/loader.js, which is fetched at runtime and executes remote code in the client context.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments integration (Whop Payments Network) and exposes direct money-moving APIs and components. It documents server SDK calls and embedded components for accepting payments (checkout), creating payouts and transfers, checking ledger/balances, and initiating withdrawals. Concrete examples include client.transfers.create({ amount..., origin_id, destination_id }), client.withdrawals.create({ company_id, amount }), creating checkout configurations with application_fee_amount, embedded payout/withdraw elements, and ledgerAccounts.retrieve for balances. These are specific, purpose-built financial operations (sending/receiving funds, payouts, withdrawals, fees), not generic automation or HTTP callers, and therefore constitute Direct Financial Execution authority.