onboard

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The onboarding flow requires installing and running the Coval CLI and explicitly directs users at runtime to download an executable from https://github.com/coval-ai/cli/releases/latest/download/coval-x86_64-pc-windows-msvc.exe (and the releases page https://github.com/coval-ai/cli/releases), which fetches remote executable code that would then be run as part of setup, so this is a runtime external dependency that executes remote code.