codebase-search

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The script may invoke "bunx @morphllm/morphmcp@latest" at runtime (when no configured mcporter server is found), which fetches and executes remote package code (morphmcp) that the skill requires to perform searches and therefore can directly control agent behavior.