dotnet-cloc

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime commands that pull and run remote content — e.g., the Docker fallback "aldanial/cloc" (and the upstream repo "AlDanial/cloc") — which would fetch and execute code from an external registry at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs the agent to install software using system package managers and even shows commands with sudo (e.g., "sudo apt install cloc"), which directs the agent to perform privileged system modifications and thus can change the machine state.