document-code

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow explicitly invokes remote code at runtime with "npx ai-devkit@latest memory search --query …" (which causes npx to fetch and execute the ai-devkit package from the npm registry, e.g. https://registry.npmjs.org/ai-devkit), so this is a required runtime dependency that executes remote code.