talktofigma-desktop-mcp

SUSPICIOUS. The skill’s capabilities largely match its stated Figma-bridge purpose, and the documented data flow is local and coherent. The main concern is install trust: the skill published by ara.so instructs users to download and trust a separate desktop binary from Grab GitHub Releases and to bypass OS warnings, which raises supply-chain risk even though the repo/releases appear legitimate and purpose-aligned.