flows-external-app-submit

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes "npx @cognite/cli@latest apps submit" at runtime, which causes npx to fetch and execute remote code from the npm registry (https://registry.npmjs.org/) to perform the submit operation, so an external package is fetched-and-run and is required for the skill to complete.