align-repo

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running npx to fetch and run remote code from https://github.com/apocohq/skills (e.g., "npx skills add https://github.com/apocohq/skills ..."), which is executed at runtime, can modify agent behavior/instructions, and is presented as a required update/install step.