add-skill

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs a runtime WebFetch of https://code.claude.com/docs/en/skills and tells the agent to "Extract skill file format, required fields, naming rules, and best practices," so fetched remote content directly controls the agent's prompts/instructions and is treated as a required dependency.