vcv-rack-plugin

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The CI workflow clearly downloads and executes remote build artifacts at runtime (for example it wget's the Rack SDK: https://vcvrack.com/downloads/Rack-SDK-${{ env.rack-sdk-version }}-mac-x64+arm64.zip and pulls/uses the container image ghcr.io/qno/rack-plugin-toolchain-win-linux), so external content is fetched and executed as a required dependency.