skills/oaustegard/claude-skills/charting-vega-lite/Snyk

charting-vega-lite

Fail

Audited by Snyk on Feb 16, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 0.80). The skill explicitly mandates embedding uploaded data verbatim into an inline JS DATA constant and writing that into generated artifacts, which forces the LLM to include any secrets present in uploaded files in its output (exfiltration risk).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The ChartExplorer component loads and executes remote JavaScript at runtime from CDN URLs (e.g. https://cdn.jsdelivr.net/npm/vega@5, https://cdn.jsdelivr.net/npm/vega-lite@5, https://cdn.jsdelivr.net/npm/vega-embed@6), which executes remote code in the artifact and is required for chart rendering.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 16, 2026, 01:15 AM