fusion-mcp

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs pulling/running the GHCR image (ghcr.io/equinor/fusion-poc-mcp[:tag]) at runtime (docker run / docker pull), which executes remote container code that implements an MCP server capable of returning "instructions"/tool responses that can control agent behavior, and the GHCR image is presented as a required runtime dependency for the GHCR setup path.