auth0-spa-js

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to run a runtime GitHub API query (gh api repos/auth0/auth0-spa-js/releases/latest — fallback: https://github.com/auth0/auth0-spa-js/releases) to fetch the SDK version which will directly control dependency lines, and its automated setup includes executing a remote install script (curl -sSfL https://raw.githubusercontent.com/auth0/auth0-cli/main/install.sh | sh) — both are runtime external fetches that either directly control the agent's instructions or execute remote code.