ast-grep

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The installers (install.sh and install.ps1) fetch and install a remote ast-grep release archive from GitHub at URLs like https://github.com/ast-grep/ast-grep/releases/download//app-.zip during runtime, which downloads and installs/exposes a binary the skill then executes—i.e., remote code is fetched and relied upon at runtime.