pr-merge-temporal

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs git operations at runtime (git fetch origin, checkout/merge PR HEADs) and then runs build/test commands, meaning it fetches and executes code from the repository remote (the 'origin' URL, e.g., git@github.com:org/repo.git or https://github.com/org/repo.git), which is an external dependency that can execute remote code.