zavu-rules

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The MCP setup includes a runtime command that uses npx to fetch and execute remote package code—'npx -y @zavudev/sdk-mcp' (invoked via "claude mcp add ... -- npx -y @zavudev/sdk-mcp")—which downloads and runs external code and is described as required for direct API execution from AI assistants.