Skills
skills/hixuanxuan/browser-automation/figma-to-html/Gen Agent Trust Hub

figma-to-html

Fail

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill transmits the user's sensitive Figma Personal Access Token to an external conversion service at http://figma-restapi-server.sandbox.ee-fe.appspace.baidu.com/api/convert. Sending credentials to a third-party API that is not the official Figma service poses a risk of credential exposure and misuse.
  • [REMOTE_CODE_EXECUTION]: The scripts/convert-node.mjs script is vulnerable to path traversal. It uses relative file paths received from the remote API (file.path) to write files to the local filesystem using path.join. A malicious or compromised server could return paths containing directory traversal sequences (e.g., ../../) to overwrite sensitive files such as configuration scripts, shell profiles, or the skill's own executable code.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 7, 2026, 03:10 AM
Security Audit — agent-trust-hub — figma-to-html