figma-mcp-integration

SUSPICIOUS: the skill’s Figma-read/write scope matches its stated purpose, but its trust model is weak. It relies on download-and-execute patterns and executes a third-party MCP server from an unrelated publisher via mutable install paths, creating meaningful supply-chain and design-data exposure risk without clear same-org provenance.