figma-driven-nextjs

The fragment presents notable supply-chain risks: (1) a non-standard dependencies format that could cause install-time misinterpretation or concealment of dependencies, and (2) a postinstall script that can execute arbitrary shell commands. These two issues create a trust and integrity risk that warrants immediate review of both the dependencies structure and the contents/behavior of scripts/install.sh before publishing or consuming this package. If scripts/install.sh is benign and the dependencies field is corrected to a valid object, risk is substantially reduced.

The manifest presents a coherent automation path for a Figma-driven Next.js bootstrap and design-system scaffolding. However, the installation model—downloading and executing remote scripts via npx from GitHub without visible integrity checks or per-action confirmations—poses a meaningful supply-chain risk and could enable arbitrary code execution if the source is compromised. Treat as SUSPICIOUS to HIGH-RISK until artifacts are pinned, signed, and auditable, with explicit user confirmation at each major step.