evolve-cli

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The GEPA bridge explicitly launches an external Python package via uv (default command: uv run --with gepa==0.1.1 ...), and the upstream project referenced at https://github.com/gepa-ai/gepa will be fetched/executed at runtime and drives the reflective prompt-evolution loop, so this is a runtime fetch that executes remote code and can directly control prompts.