codemap

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes its Node scripts via npx/tsx which will install and run npm packages at first run, causing runtime fetch-and-execute of code from registry URLs such as https://registry.npmjs.org/tree-sitter-wasms/-/tree-sitter-wasms-0.1.13.tgz (also tsx/web-tree-sitter entries in package-lock.json), so external content is fetched and executed at runtime.