opencode-dev

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The opencode config includes MCP server commands that run npx to fetch and execute remote npm packages at runtime (e.g. "npx -y @modelcontextprotocol/server-postgres" and "npx -y @modelcontextprotocol/server-filesystem"), which download and execute remote code the skill relies on to provide MCP functionality.