pypi-ops
Warn
Audited by Snyk on Jun 21, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The workflow (assets/publish.yml) references external GitHub actions that are fetched & executed at runtime (e.g. pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b and actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd), so these remote repos are runtime dependencies that run their code during the publish job.
Issues (1)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata