opencode-firebase

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The opencode.json runs "npx -y firebase-tools@latest mcp", which causes npx to fetch and execute the firebase-tools package from the npm registry (e.g. https://registry.npmjs.org/firebase-tools) at runtime, so remote code is fetched and executed as a required dependency.