pica-mcp

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill launches the PICA MCP server with "npx @picahq/mcp" (package @picahq/mcp), which fetches/executes remote package code at runtime and exposes tools (via mcpClient.tools()) that the agent calls, so this external dependency can execute code and directly affect agent behavior.