agent-framework

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The examples spawn an npx command at runtime ("npx -y @modelcontextprotocol/server-github", which will fetch/execute the package from the npm registry — e.g. https://registry.npmjs.org/@modelcontextprotocol/server-github), and that remote code runs an MCP server whose tools are loaded into the agent (it executes remote code and the skill relies on those tools), so it meets the criteria for a runtime external dependency that can control agent behavior.