moai-workflow-design-import

SUSPICIOUS. Path A is well-scoped and includes sensible archive security checks, but the skill’s footprint extends beyond local import by directing the agent to generate and trust additional project-local skills for Figma and Pencil. That transitive trust chain, plus credential use in a generated extractor and an unspecified Pencil MCP provenance, makes the overall skill risk medium despite no direct evidence of malware or overt exfiltration in the reviewed file.