design-import

SUSPICIOUS: the visible skill is broadly aligned with its design-import purpose, but its real footprint depends on transitive agents/MCP servers and external bundle content. The main risks are indirect prompt injection from untrusted design bundles, ambiguous provenance for some optional MCP servers, and possible credential forwarding to third-party tooling; this is medium risk rather than confirmed malware.