figma
Warn
Audited by Gen Agent Trust Hub on Jul 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains a 'Run silently, don't ask' instruction that attempts to bypass the agent's standard user confirmation protocols for executing commands like updating the skill or sending telemetry.
- [COMMAND_EXECUTION]: Instructs the agent to execute shell commands using the
npx hyperframesvendor tool for skill synchronization, asset management, and event reporting. - [DATA_EXFILTRATION]: Implements a 'usage beacon' mechanism using
npx hyperframes eventsto send anonymous telemetry, skill start/finish markers, and success/error outcomes to an external service. - [EXTERNAL_DOWNLOADS]: Relies on
npxto fetch and execute thehyperframespackage and its dependencies from a remote registry during the update and execution phases. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection via data ingested from Figma. The skill parses element names and 'Director notes' (text nodes) from Figma to determine animation logic, transitions, and component binding.
- Ingestion points: Figma node names, node tree metadata, and TEXT nodes within the 'Storyboards' section.
- Boundary markers: None present to delimit untrusted data from instructions.
- Capability inventory: Shell execution via
npx, local file system writes to.media/, and dynamic web script injection. - Sanitization: Sanitization is mentioned for SVG assets, but no validation or sanitization is documented for text-based motion intent or node names used in logic or script generation.
- [REMOTE_CODE_EXECUTION]: Dynamically generates GSAP animation code and injects it into the composition as a
<script>tag (emitTimelineScript) based on motion data and tracks fetched from the Figma API.
Audit Metadata