The victim can be tricked into accepting the invite as a normal GET request is sent while accepting the request.
Make an html page using the following code:
<a href="https://liberapay.com/test/membership/accept">click here</a>
Change" test" with your team mate.
The impact is low but still it can make a user to accept the request even if he wanted not to.