moai-library-mermaid

SUSPICIOUS. The skill’s main purpose is coherent and there is no clear credential theft or malicious exfiltration, but its runtime trust model is looser than necessary: broad Bash(npx:*) permissions and a mismatched Playwright MCP package reference create meaningful supply-chain and execution risk. Overall this looks like a legitimate documentation/rendering skill with medium security risk rather than malware.