figma-capture-extension
Warn
Audited by Snyk on May 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The extension's content script (manifest.json "matches": ["<all_urls>"]) injects capture.js and serializes/transforms the live DOM and text of arbitrary public webpages (and also downloads capture.js from Figma's public endpoint), so untrusted user-generated web content is read and interpreted at runtime as part of the capture/clipboard workflow and can influence transformation and action logic.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The Makefile/download step pulls and the extension injects/executes remote JavaScript at runtime from https://www.figma.com/community/plugin/1159123024924461424/capture.js, so required external code is fetched and executed during operation.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata