cookiy-onboard

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill’s runtime install commands fetch and execute remote packages (npx cookiy-mcp — https://www.npmjs.com/package/cookiy-mcp — and brew install cookiy-ai/tap/cookiy) which install an MCP server the skill depends on and which can run code and control agent prompts, so this is a high-confidence runtime dependency.