figma-bridge-html-export

SUSPICIOUS: The skill’s stated purpose and capabilities mostly align, and data stays local in the documented flow. The main concern is install trust: the skill is published by ara.so but directs users to clone and run a personal GitHub repo, creating moderate supply-chain risk without clear same-org provenance. No strong signs of malware, credential theft, or covert exfiltration are present.