primitive-chat

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README and setup instruct running remote-package installers that will fetch and execute code at runtime (e.g., "npx skills add primitivedotdev/chat" and "npm install -g @primitivedotdev/cli", which pull packages from the npm registry such as https://registry.npmjs.org/@primitivedotdev/cli), so the skill depends on externally fetched code that would be executed on the host.