dependency-audit

The skill claims to run Snyk audits but its manifest, instructions, and code disagree in unsafe ways (missing declared credentials, a hidden optional data-submission endpoint that can exfiltrate dependency + environment data, and buggy/mismatched behavior).

This skill is internally inconsistent and potentially risky. Before installing or running it: (1) do not run against sensitive repositories until you trust the code — the script can send your full dependency list and working directory to any URL passed via --submit; (2) ask the author to declare required credentials (SNYK_TOKEN and primary org) in the registry metadata and to document the --submit option and its destination; (3) fix or verify bugs (the script prints a key that the audit function does not return and will likely crash, and SKILL.md recommends installing 'requests' though the code uses urllib); (4) if you need to test, run it in an isolated environment with no secrets and without providing a --submit URL, or manually audit/patch the code to remove or restrict external submission and to avoid sending cwd/PLATFORM_INFO. If the author cannot explain why arbitrary report submission is present and necessary, treat the skill as unsafe.