git-merge-main

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill runs "git fetch origin main" at runtime (fetching from the configured origin remote URL) and then may run "pnpm install" and "pnpm test", so fetched repository content or package install/test scripts from that external git remote can execute code and thus present a runtime risk.