preview-diff

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill injects CDN script URLs (e.g., https://cdn.jsdelivr.net/npm/diff2html@3.4.47/bundles/js/diff2html.min.js) into the generated HTML which is opened by run.sh so the browser will fetch and execute remote JavaScript (a required dependency for rendering), creating a runtime external dependency that executes remote code.