vscode-openvsx-extension-publish

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The workflow and publish steps rely on runtime-executed third-party components (e.g., the CI action "actions/checkout@v4" which is fetched and executed from https://github.com/actions/checkout and npx-invoked packages like @vscode/vsce/ovsx) that will download and run remote code during execution, so this skill includes required external runtime dependencies that execute remote code.