figma-generate-personal-token

SUSPICIOUS. The skill's core purpose matches its behavior—obtaining a Figma token via Figma's own site—but it does so by consuming raw account credentials, passing them through a third-party browser automation tool, generating a longest-expiry token, and enabling all permissions. There is no obvious off-platform exfiltration or fake endpoint, so this is not confirmed malware, but the scope and credential handling are broader than necessary for a token-management skill.