qdrant-codebase-search

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes "npx -y @mhalder/qdrant-mcp-server@3.3.1" (in setup-mcp.sh and config examples), which at runtime fetches and executes remote code from the npm registry to run the MCP server that can influence agent prompts/behavior (e.g., via PROMPTS_CONFIG_FILE), so this is a required runtime external dependency executing remote code.