dependency-upgrade

SUSPICIOUS. The skill’s purpose and capabilities mostly align with dependency upgrade work, and there is no obvious credential theft or exfiltration. However, it encourages unpinned execution of third-party CLIs and includes at least one likely incorrect or weakly verified external tool example, raising medium supply-chain risk.