snipgrapher

SUSPICIOUS: the stated purpose is coherent for a code-to-image skill, but its core execution path relies on an unverified external CLI package invoked via unpinned `npx`. There is no evidence of credential theft or exfiltration, yet the install/execution trust is disproportionally weak because the package provenance cannot be confirmed.