export-and-package

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script invokes "npx @red-hat-developer-hub/cli@latest" at runtime (e.g., in step_export and step_package_oci), which causes npx to fetch and execute remote code from the npm registry and is required for the export/package workflow, so this is an actual runtime external dependency that executes remote code.