source-driven-development

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls WebFetch at runtime to ingest official docs (e.g., https://react.dev, https://nextjs.org/docs, https://vuejs.org/guide, https://docs.djangoproject.com) and then uses that fetched content verbatim to drive implementation and citations, so those URLs are runtime external dependencies that can directly control agent prompts.