oracle

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The guidance includes an explicit runtime command "npx -y @steipete/oracle" which fetches and executes a remote npm package (remote code) that implements the oracle CLI and thus would directly control prompts/instructions at runtime, so it is a runtime external dependency that can execute code.