acpx

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx-installed agent packages at runtime (e.g., npx @zed-industries/codex-acp, npx -y @zed-industries/claude-agent-acp, npx -y opencode-ai acp, npx -y @kilocode/cli acp, npx pi-acp), which fetch and execute remote npm package code that implements agents and therefore can directly execute code or control prompts.