oasis-server-setup

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly directs the app to check an Oasis update endpoint (https://oasis.yourdomain.com/your-app/update/{{target}}-{{arch}}/{{current_version}}) which returns manifests that point to CDN-hosted installer artifacts (e.g., https://cdn.example.com/app/v0.2.0/App_x64-setup.nsis.zip) that are downloaded at runtime and installed via update.downloadAndInstall(), so these URLs are runtime dependencies that deliver and execute remote code.