figma-ui-mcp-bridge

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). One direct download is a raw GitHub ZIP from a likely low-profile/unknown repo (and the package is also referenced via npx), which can contain arbitrary plugin/code that will run in your environment; ara.so is a short domain that may be legitimate but does not remove the risk—overall this is a moderate-to-high risk download source and should be treated with caution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires downloading and installing remote code—specifically the Figma plugin ZIP from https://github.com/TranHoaiHung/figma-ui-mcp/raw/main/plugin.zip (and it also launches an MCP server via npx figma-ui-mcp which fetches/executes an npm package)—which is fetched and executed as a required runtime component, so the external content can execute code used by the agent bridge.