figma
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill documentation includes commands to download and immediately execute shell scripts from an untrusted source (canifi.com) via piped bash. This allows the remote server to execute arbitrary code on the user's system.\n
- Evidence: 'curl -sSL https://canifi.com/skills/figma/install.sh | bash' in SKILL.md.\n
- Evidence: 'curl -sSL https://canifi.com/install.sh | bash' in SKILL.md.\n- CREDENTIALS_UNSAFE (HIGH): The skill explicitly instructs users to store FIGMA_EMAIL and FIGMA_PASSWORD in plaintext environment variables via 'canifi-env', making them accessible to any script or agent process.\n- EXTERNAL_DOWNLOADS (HIGH): The skill relies on external scripts and setup processes from a non-whitelisted domain (canifi.com), bypassing standard package security checks.\n- COMMAND_EXECUTION (HIGH): The core installation and setup instructions rely on direct shell command execution of unverified remote code.\n- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Figma files and comments while maintaining powerful capabilities like browser automation and credential access.\n
- Ingestion points: Figma design files, pages, and user comments.\n
- Boundary markers: None mentioned in the skill instructions.\n
- Capability inventory: Browser automation (Playwright MCP), file system operations (cp), network access (curl), and credential access.\n
- Sanitization: No sanitization or validation of external content is specified.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/figma/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata