java-repo-assessment

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs Maven GAV invocations (e.g., "mvn org.apache.maven.plugins:maven-pmd-plugin:3.28.0:pmd" and "mvn org.jacoco:jacoco-maven-plugin:0.8.12:report" / "mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.1:copy -Dartifact=org.jacoco:org.jacoco.agent:0.8.12:jar:runtime ..."), which at runtime cause Maven to fetch and execute remote plugin/agent JARs from Maven Central (remote code execution) and are required for the skill—therefore they meet the criteria for a runtime external dependency that executes remote code.