0xkey-keyops-manifest

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime downloads of and executes operator binaries (keyops and qos_client) from GitHub Releases — e.g. curl to https://github.com/0xkey-io/enclave-keyops-skills/releases/latest/download/... and auto-fetches from https://github.com/0xkey-io/qos — so remote code is fetched at runtime and relied on as a required dependency.