sveltia-cms

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetching and execution of remote code (required by the admin page and setup), e.g. the CDN script tag https://unpkg.com/@sveltia/cms@0.128.5/dist/sveltia-cms.js (also present as @0.113.3 in templates) and a git-clone + npm install flow for https://github.com/sveltia/sveltia-cms-auth which pulls and runs remote code for the OAuth worker, so these URLs are required dependencies that execute remote code at runtime.