flow-hybrid-search

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The wrapper runs remote code at runtime via "npm exec --yes --package=@tiangong-lca/cli@latest -- tiangong", which fetches and executes the @tiangong-lca/cli package (a required runtime dependency), so this is a high-risk external execution vector.