hx

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The languages.md example shows a tree-sitter grammar specified with git = "https://github.com/example/mylang" which the docs instruct to fetch and build with "hx --grammar fetch && hx --grammar build", meaning remote repository code would be fetched, built, and loaded by the editor at runtime (allowing execution of arbitrary/native code and controlling syntax/queries), so this URL is a runtime external dependency that can execute code.