skills/oaustegard/claude-skills/charting-vega-lite/Snyk

charting-vega-lite

Fail

Audited by Snyk on Apr 30, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The skill mandates embedding uploaded data inline into generated artifacts (replacing DATA with json.dumps(data)), which will cause any API keys, passwords, or other secrets present in user-uploaded files to be emitted verbatim in the agent's output/artifact, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). ChartExplorer.jsx dynamically loads and executes remote JavaScript from the CDN URLs (https://cdn.jsdelivr.net/npm/vega@5, https://cdn.jsdelivr.net/npm/vega-lite@5, https://cdn.jsdelivr.net/npm/vega-embed@6) at runtime to render charts, and those scripts are required for the skill to function, so they constitute a runtime external dependency that executes remote code.

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

HIGH

Analyzed

Apr 30, 2026, 11:35 AM

Issues

2