image2pencil

SUSPICIOUS. The skill’s behavior is internally coherent for UI reconstruction and design documentation, and its data flow appears local and proportionate. However, it requires an unverifiable private-source Pencil MCP binary/toolchain, so install/execution trust is materially elevated even though there is no clear evidence of credential theft, exfiltration, or malicious intent in the skill itself.