skills-store

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches remote skill bodies at runtime via the PostHog MCP calls (posthog:skill-get and posthog:skill-file-get), and those fetched SKILL.md "body" contents are explicitly treated as system instructions that directly control the agent's prompts, so these remote fetches are a high-confidence runtime dependency.