secrets

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly states that hosted agent cards and remote OpenAPI specs are fetched at runtime and can influence agent behavior — e.g. https://research-agent.example.com/.well-known/agent.json and https://api.weather.example.com/openapi.json are examples of URLs whose fetched content would directly control agent capabilities/prompts.