semgrep

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). semgrep commands in the skill (e.g., semgrep --config p/security-audit and p/trailofbits) cause Semgrep to fetch and execute remote rule sets from the Semgrep registry and repositories (e.g., https://semgrep.dev/explore and https://github.com/trailofbits/semgrep-rules) at runtime, and those fetched YAML rules directly control the scanner's behavior.