The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install executable files from a repository on GitHub (https://github.com/grab/TalkToFigmaDesktop/releases). While the repository belongs to a well-known organization, downloading and running external binaries poses a security risk.
[COMMAND_EXECUTION]: The instructions explicitly guide the user to bypass operating system security controls, such as macOS Gatekeeper and Windows SmartScreen, to run the downloaded application. Additionally, the troubleshooting section suggests using shell commands like lsof, netstat, kill, and taskkill to manage system processes.
[REMOTE_CODE_EXECUTION]: The skill configuration requires the agent to run a JavaScript file (mcp-server.cjs) using node. This file is not included in the skill's source but is created and managed by the external desktop application, meaning the agent is instructed to execute code from an external, potentially untrusted source.
[PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection (Category 8) by ingesting data from external Figma files that could be controlled by third parties. Maliciously crafted design data could attempt to influence the agent's behavior.
Ingestion points: Tools such as get_node_by_id, get_all_nodes, and search_nodes fetch data from the Figma environment.
Boundary markers: There are no instructions provided to the agent to treat data from Figma as untrusted or to use specific delimiters.
Capability inventory: The skill provides numerous tools for modifying the Figma environment (e.g., set_properties, delete_node) and requires the ability to execute local JavaScript via node.
Sanitization: There is no mention of sanitization or validation of the content retrieved from the Figma WebSocket connection.

talktofigma-desktop-mcp