xmake-private-packages

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs xmake to clone and run package recipes from the repository git@github.com:mycompany/my-repo.git at runtime (the fetched xmake.lua recipes contain on_install handlers that are executed), so this URL provides remote code that directly controls execution.