oma-hwp

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes bunx kordoc@latest (which fetches/executes the kordoc code hosted upstream: https://github.com/chrisryugj/kordoc) and even documents an install-time command that executes remote code (curl -fsSL https://bun.sh/install | bash) — both are runtime external fetches that will run remote code and are required for the skill to operate.