kw-update-skills

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs running npx commands that fetch and update third‑party repo code at runtime (e.g., the repository reference "kwazema/claude-skills" / GitHub/GitLab repos), so remote content is fetched and can install/execute code that controls agent behavior.