This will work well enough, except that it is inherently insecure, and more importantly, unstable. The URL might change, or the repository might disappear.
I don't think that this has to be insecure for the reasons you state. Caching can be used here. If the system is optimized (not unlike the DNS system) to cache URL-imported modules locally, at both the client and referring server (the server that hosted the code that issues the #import URL statement), then if a URL changes, the copies at the client and referring server could be used, even if expired (expired from the cache). The copy at the referring server would be unlikely to dissappear since the original program (or referring module) is hosted by it.
This whole thing needs a heirarchy of caching at the client and at the reffing server anyways to optimize performance. I'm just suggesting that this heirarchy could be used to solve the 'URL might change' problem.