Skills
skills/figma/dev-mode-mcp-server-guide/figma-generate-library/Gen Agent Trust Hub

figma-generate-library

Pass

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates and executes JavaScript code within the Figma Plugin environment through the use_figma tool. This is the core mechanism for building and modifying design assets. The execution is based on provided script templates in the scripts/ directory, which handle tasks like variable creation, component building, and file structure setup.\n- [DATA_EXPOSURE]: The skill reads codebase files such as CSS, JSON, and JavaScript configuration files during the Discovery phase to extract design tokens (colors, spacing, etc.). It also maintains a state ledger stored in /tmp/dsb-state-{RUN_ID}.json to track progress across long workflows. These operations are restricted to relevant project files and temporary storage, matching the skill's primary purpose.\n- [INDIRECT_PROMPT_INJECTION]: The skill ingests external data from the user's codebase. While this presents a surface for indirect prompt injection, the risk is mitigated by the skill's architecture: data is processed as design values rather than instructions, and the mandatory workflow requires explicit human approval at key checkpoints (Discovery, Foundations, Page Structure, and per-component) before any changes are finalized. \n
  • Ingestion points: Project codebase files (e.g., tokens.json, tailwind.config.js, .css files) analyzed in Phase 0.\n
  • Boundary markers: The multi-phase workflow and mandatory user checkpoints act as boundaries between data processing and execution.\n
  • Capability inventory: use_figma (JavaScript execution in Figma), search_design_system, and Code Connect MCP tools.\n
  • Sanitization: Design tokens are extracted and applied as values to Figma variables; user approval is required at every stage of the build process.\n- [DYNAMIC_EXECUTION]: The skill performs script generation from known templates provided in the scripts/ folder to automate Figma operations. This runtime assembly of executable code is the intended behavior for the design system orchestration and is handled through local templates rather than untrusted remote sources.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 28, 2026, 11:32 AM