alova-client

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to "Always fetch the official doc before answering" and uses web_fetch at runtime to retrieve content from https://alova.js.org/tutorial/getting-started/quick-start/ (and other pages on alova.js.org), meaning external content fetched at runtime would directly control the agent's responses.