upgrade-dep

SUSPICIOUS: the skill’s purpose is coherent, but its primary mechanism is risky. It directs the agent to fetch and execute an unpinned third-party npm CLI (`yarn-update-dependency@latest`) whose provenance does not match Sentry or Yarn, creating a significant supply-chain and transitive trust risk despite otherwise normal dependency-management behavior.