figma-ui-mcp-bridge

SUSPICIOUS: the skill’s capabilities largely match its stated Figma-bridge purpose and its localhost data flow is coherent, but install trust is inconsistent with the publisher identity. The main concerns are transitive MCP installation and a Figma plugin delivered as an unpinned raw GitHub zip from a personal account, which creates meaningful supply-chain risk even without evidence of overt exfiltration.