lefthook

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The documentation shows Lefthook's "remotes" feature will fetch and merge configuration from Git URLs at runtime (e.g., https://github.com/evilmartians/lefthook), and those remote configs can change hook commands/scripts that Lefthook will execute, meaning remote content can control executed code.