create-mcp-app

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs cloning and running code from https://github.com/modelcontextprotocol/ext-apps.git (git clone ... then npm install / npm run) which fetches remote code and executes it as part of the testing/runtime workflow, so the external URL can cause execution of remote code.