The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill references the installation of the official Figma MCP plugin and the figma-context-mcp package from the NPM registry. These tools are standard for facilitating Figma-to-code workflows and are documented for user-controlled setup.
[COMMAND_EXECUTION]: Utilizes the bash tool to perform authenticated REST API calls to Figma's official endpoints. This usage is transparently documented as a fallback mechanism for design data retrieval.
[CREDENTIALS_UNSAFE]: References the FIGMA_ACCESS_TOKEN credential but includes explicit instructions to use environment variables and ensure secret files are excluded from version control via .gitignore, adhering to industry standard security hygiene.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to process data from external Figma URLs, which constitutes an ingestion point for untrusted content.
Ingestion points: Design metadata and frame structures retrieved from Figma via API or MCP (SKILL.md).
Boundary markers: No specific delimiters are defined for the design payloads.
Capability inventory: Uses Bash for network communication and Write for artifact persistence (SKILL.md).
Sanitization: Risk is mitigated by the skill's design, which parses external data into a rigid, structured markdown template (tables for tokens, specific lists for components), preventing the direct execution of potential instructions hidden in design labels.

figma-design