extension-guide-v2

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime install methods that fetch and execute remote artifacts (for example the binary download URL https://github.com/org/repo/releases/download/v1.0.0/tool.tar.gz — and related runtime fetches like https://download.docker.com/linux/ubuntu/gpg and npx packages such as @mytool/mcp), which would download and run remote code during extension installation.