figma
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to the official Figma MCP server at
https://mcp.figma.com/mcp. This is a well-known service, and the connection is used for intended design-to-code functionality. - [CREDENTIALS_UNSAFE]: Documentation provides guidance on setting up the
FIGMA_OAUTH_TOKENenvironment variable. It correctly uses placeholders (<token>) and advises against hardcoding secrets, following standard security best practices. - [PERSISTENCE_MECHANISMS]: The reference files include instructions to add export commands to shell profiles (e.g.,
~/.bashrc,~/.zshrc) for environment variable persistence. This is a standard, transparent configuration step for developer tooling. - [INDIRECT_PROMPT_INJECTION]: The skill ingests design context and metadata from Figma nodes. While these are external data sources, the risk is minimized as the data is used to generate UI implementation suggestions which are subject to review, and the instructions include project-specific rules to maintain code quality.
Audit Metadata