power-engineer

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs runtime install commands that fetch and execute remote code (e.g., the MCP install referencing the git URL git+https://github.com/aws-samples/sample-mcp-security-scanner.git@main), so that external repository would be fetched at runtime and can execute code or control agent behaviour.