bruhs

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs package-installer/CLI commands at runtime that fetch and execute remote code — e.g., "npx skills add bryantleft/bruhs-skills" and the MCP config that runs "npx -y mcp-server-linear" — which will download and run third-party code (skills / MCP servers) that can change agent behavior or execute code.