hap-view-plugin

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs installing and auto-installing mdye-cli via npm (which fetches and executes remote package code) and even directs using the mirror registry URL https://registry.npmmirror.com to obtain packages at runtime, so this external URL can be used to fetch/execute required code for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs the agent to "自动帮用户安装 mdye-cli" and includes a Mac OS install command using sudo (sudo npm install -g mdye-cli), which asks the agent to perform privileged operations on the host.