firebase-firestore

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill repeatedly instructs running npx -y firebase-tools@latest (which downloads and executes code from the npm registry, e.g. https://registry.npmjs.org or https://www.npmjs.com/package/firebase-tools) at runtime and relies on it for provisioning/deploying Firestore, so this is a runtime fetch that executes remote code and poses a supply-chain execution risk.