eliteforge-agent-must-known

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). scripts/bootstrap_env.py writes and uses internal registries (e.g. http://nexus.cisdigital.cn/repository/pypi/simple/, http://nexus.cisdigital.cn/repository/pypi-internal/, http://nexus.cisdigital.cn/repository/npm/) and then invokes pipx/npm to install packages at runtime, which will fetch remote packages and execute their installation code, so these URLs are runtime external dependencies that can lead to remote code execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Yes — the skill explicitly instructs the agent to auto-install system packages and modify system files (notably /etc/hosts and global Git/config files) and to run apply-mode scripts that change the machine state (operations that may require sudo), so it directs modifications to the host system.