Security: bundled node_modules/ in brainstorming scripts is a supply chain attack risk #688
Description
The skills/brainstorming/scripts/ directory bundles node_modules/ directly in the repository (~4.6 MB). This is a supply chain security risk:
- Vendored dependencies bypass npm audit and automated vulnerability scanning (e.g., Dependabot, Socket)
- Malicious code injected into a dependency would persist undetected in the git history
- Reviewing dependency updates via git diff is impractical, a single package update can touch hundreds of files
- Users cloning the repo inherit whatever was committed, with no lockfile verification