skill-creator

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The eval viewer launched by generate_review.py serves HTML that loads and executes remote JavaScript from the CDN (e.g., https://cdn.sheetjs.com/xlsx-0.20.3/package/dist/xlsx.full.min.js) (and also pulls fonts from https://fonts.googleapis.com) at runtime — the viewer is part of the skill's recommended runtime workflow and the CDN JS executes code in the user's browser, so this is a runtime external dependency that executes remote code.