agent-code-analyzer

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes the external package via "npx claude-flow@alpha" in pre/post hooks and workflow commands (e.g., pre-task, pre-search, memory operations), which causes remote code to be fetched and executed at runtime and can directly control agent behavior.