bridge-codex

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill auto-setup and runtime paths call out running external code via npx (e.g., "npx -y codex mcp-server" / the npm package "codex" — https://www.npmjs.com/package/codex), which fetches and executes remote code at runtime to expose MCP tools (mcp__codex__codex and codex-reply) that directly accept and control prompts, so this is a high-confidence runtime external dependency that can control agent instructions.