nano-verify-message

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs runtime installation/execution of a remote npm package (e.g., xno-skills@latest via "bunx -y xno-skills@latest" / "pnpm dlx xno-skills@latest" / "npx -y xno-skills@latest"), which fetches and executes remote code and is required by the skill, so it directly executes external code fetched at runtime.