security-scanning

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's CI and pre-commit configurations fetch and execute remote code as required dependencies—e.g., pre-commit repos https://github.com/returntocorp/semgrep and https://github.com/Yelp/detect-secrets and GitHub Actions (returntocorp/semgrep-action@v1, anchore/sbom-action@v0, anchore/scan-action@v3) are pulled at runtime and run code, so external content can directly execute during the skill's operation.