publish-python-package-pypi

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's workflow templates fetch and run third-party GitHub Actions at runtime—notably btfranklin/release-notes-scribe@v0 (used in draft-release-notes.yml and which takes OPENAI_API_KEY to generate notes) and pypa/gh-action-pypi-publish@v1.13.0—so external repository code is executed during runs and is relied upon by the workflows.