stitch-loop

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs at runtime to download the generated page from htmlCode.downloadUrl and (optionally) load it via the Chrome DevTools MCP server, which means remote HTML fetched from htmlCode.downloadUrl can contain and execute scripts in the agent's runtime, so htmlCode.downloadUrl is a required runtime external dependency that may execute remote code.