figma-mcp-go-design-automation

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These links point to an unknown GitHub releases page and an associated npm package invoked via npx plus a local Figma plugin (plugin.zip) from an unverified/low‑visibility author (and a short, lightly verified domain ara.so), so executing/installing them could run arbitrary code or gain full access to your Figma files and thus may be used to distribute malware unless the author/package are independently verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs remote code at runtime via npx (npx -y @vkhanhqui/figma-mcp-go@latest) and requires downloading/executing the Figma plugin from https://github.com/vkhanhqui/figma-mcp-go/releases, both of which fetch and execute external code that the skill depends on.