bump-deps

This skill's stated purpose (automating dependency bumps using taze, with safe rules for majors and updating Bun catalogs) is coherent and the requested file reads/writes align with that purpose. However, the workflow requires running external tooling (taze, ni) and a local script (scripts/run-taze.sh) without instructing verification, pinning, or review. Those download-and-execute patterns and automatic edits to manifests create a non-trivial supply-chain risk: a compromised taze package or an unreviewed run-taze.sh could execute arbitrary code and modify many files across a monorepo. The skill does incorporate user prompts for major updates, which reduces autonomous destructive changes, but minor/patch updates are applied automatically. Overall this is not confirmed malware, but it is a medium/high supply-chain risk and should be used only when the invoked tooling and local scripts are audited/pinned and the user understands the write operations that will occur.