next-upgrade

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs fetching the official codemods documentation (https://nextjs.org/docs/app/building-your-application/upgrading/codemods) at runtime and explicitly runs "npx @next/codemod@latest", which will fetch and execute remote code as a required step for the upgrade, so the external content directly controls runtime behavior and executes code.