Frontman — Visual Frontend Editing

This skill appears to do what it says (a browser-based visual editor that writes real source files), but there are important safety checks you should do before installing or running it: - Verify where the AI runs: confirm whether Frontman is fully local/self-hosted in your environment or whether any server or hosted service will receive your DOM, screenshots, console logs, or source-file information. If it is remote, assume your code and UI previews may leave your machine. - Inspect the packages before running npx: npx fetches and can execute remote code. Review the frontman npm packages and any install scripts, or clone and inspect the repo locally before running installers. - Use a disposable/dev environment and a separate git branch: run this only on non-production copies of your project and ensure you can revert changes. - Protect API keys: the docs say BYOK for LLMs — only provide model keys if you understand whether they will be used locally or sent to external endpoints. Prefer local/self-hosted model setup if you need confidentiality. - Check licensing and server components: server-side parts are AGPL-3.0 — review implications for your project and whether additional server components must be deployed. - Network monitoring: if you have concerns, run the tool behind a firewall or while monitoring outbound connections to detect unexpected network calls. If you can confirm the Frontman server is self-hosted locally (so edits and AI inference do not send code to third parties) and you review the npm packages, the skill is reasonably coherent for its purpose. If you cannot confirm those points, treat it as higher risk and avoid running npx install commands against sensitive codebases.