figma-a11y-audit

SUSPICIOUS. The core reporting behavior is coherent with the stated purpose, and most file/system actions are proportionate. The main concern is trust and data flow: the skill depends on a non-official figma-console MCP server and forwards a Figma Personal Access Token to that third-party tool instead of using Figma's official desktop MCP flow. This is not confirmed malicious, but it creates meaningful credential and supply-chain risk.