design-system

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes the remote CLI via npx (e.g., npx -y @google/design.md@latest which fetches/executes code from https://www.npmjs.com/package/@google/design.md and its canonical repo https://github.com/google-labs-code/design.md) and uses the CLI output to populate agent context (spec files) and drive audits/exports, so this is a runtime-fetched remote executable that can directly affect agent prompts and behavior.