windmill-workflows

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill references and pulls executable artifacts at build/run time — container images from ghcr.io (ghcr.io/windmill-labs/windmill:main and ghcr.io/windmill-labs/windmill-lsp:main) and a pdfcpu binary downloaded from GitHub (https://github.com/pdfcpu/pdfcpu/releases/download/v0.11.1/pdfcpu_0.11.1_Linux_x86_64.tar.xz) — which are fetched during deployment and supply remote code that will be executed and are required for the service.