penpot-workflow

SUSPICIOUS: the skill’s design-management purpose is coherent, but trust and data-flow details are not. Its main concern is routing shared design content through an unofficial-looking `penpot.e9n.dev` host and relying on an unverifiable `pi-penpot` extension. The permissions and actions are otherwise broadly proportional to design work, so this looks more like medium/high security risk than confirmed malware.