ui-to-vue

SUSPICIOUS: The skill's purpose is coherent, but its core function depends on a not-clearly-verified third-party npm CLI that likely receives both design files and a DashScope API key. There is no obvious malicious behavior or deceptive endpoint in the text, yet install trust and credential/data forwarding are only partially verified, so the risk is medium rather than benign.