hwp

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly installs and runs external Python packages at runtime (e.g., pip install / pipx run of pyhwp2md and runtime installs of pyhwp and python-hwpx), which fetch and execute remote code from package repositories such as https://pypi.org/project/pyhwp2md/ and the referenced GitHub https://github.com/pitzcarraldo/pyhwp2md, and those packages are required for the skill to operate—so this is a runtime external dependency that executes remote code.