kani-proof

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs agents to run npx -p @workersio/klint klint (which will fetch and execute the @workersio/klint package from the npm registry at runtime) and also references a git dependency (git@github.com:otter-sec/verify.git) that would be fetched during build—both are runtime-fetched external code that would execute and thus constitute risky external dependencies.