skill-creator

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The eval viewer (eval-viewer/viewer.html) loads and executes remote JavaScript from https://cdn.sheetjs.com/xlsx-0.20.3/package/dist/xlsx.full.min.js when the review page is opened, which is fetched at runtime and is relied on by the viewer to render .xlsx outputs (i.e., executes remote code in the client), so it meets the criteria for a runtime external dependency that can execute code.