pulumi-go

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill includes CI and dependency commands that fetch and run remote GitHub content at runtime—notably the GitHub Actions references actions/checkout@v4 and pulumi/auth-actions@v1 (and git module paths like github.com/pulumi/pulumi-aws/sdk/v6 and github.com/myorg/my-component used by pulumi package add / go get) which will download and execute remote code as part of CI/build/deploy, so they present a runtime remote-code execution risk.