opt-harness-install

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill configures and uses the GitHub Packages registry (https://npm.pkg.github.com) at runtime (via .npmrc and npm view / {pm} add commands) to fetch required npm packages (@reopt-ai/opt-harness, opt-palette, etc.), which downloads and installs remote code the workflow depends on and thus can execute code in the consumer environment.