publish-to-skills-sh

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly invokes runtime installation/registration that fetches remote prompt content from a GitHub repo (example: "npx skills add jindon1020/osi-skills/openclaw-feishu-webhook") and exposes it at https://skills.sh/用户名/仓库名/子目录路径, meaning externally hosted .agent/instructions.md would be fetched at runtime and directly control agent prompts.