The manifest is registry-controlled anyway (we look it up using a tag, not a digest), so this does not give the registry any new powers, but having code like that laying around is a risk.