gs-brand-doc

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The generate_pdf.sh script invokes npx -y md-to-pdf which will fetch and execute the md-to-pdf package from the npm registry at runtime (e.g., https://registry.npmjs.org/md-to-pdf), so the skill relies on and runs remote code fetched during execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs disabling Chromium's sandbox (using --no-sandbox and --disable-setuid-sandbox), which advises bypassing a core security mechanism and therefore encourages compromising the host's security.