skill-repo-manager

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill docs instruct runtime installation from remote git repositories (e.g., https://github.com/owner/repo.git or the shorthand owner/repo used with "npx skills add"), which causes the CLI to fetch remote SKILL.md and repo scripts at runtime that can directly control agent prompts or execute code.