qt-installer-framework-config

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The config.xml/README configure a RemoteRepository at https://updates.mycompany.com/repo (and https://updates.mycompany.com) which the online installer fetches at runtime to download packages that can include package scripts (installscript.qs) executed by the installer, so the fetched content can run remote code and directly control installer behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill includes installer scripts and build/deploy commands that create or modify system-level artifacts (e.g., symlink to /Applications, register file types, create shortcuts, rsync to /var/www) which change the host state and may require elevated privileges, so it encourages modifying the machine state.