Penpot Uiux Design

This Skill appears consistent with its stated purpose (automating and assisting Penpot UI/UX work via a local MCP server). I found no indicators of intentional malicious behavior, remote credential harvesting, or third-party data exfiltration. The meaningful risks are: (1) supply-chain risk from cloning and running a repository (git + npm build/run) — users should audit code before running; and (2) the high privileges of mcp__penpot__execute_code which can modify a user's design files, so any code executed should be reviewed and run only with user consent. Overall I judge this as low-maliciousness but moderate supply-chain/privilege risk.