code-to-pantry

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs the agent to fetch and use the GitHub repo github.com/nweii/pantry (via "gh repo clone nweii/pantry"), and that repository contains a pre-commit hook (scripts/sync.js) which will run during commit — meaning fetched content can execute remote code required by the workflow.