figma-to-code

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted design metadata from external Figma files to generate executable React/TypeScript code. An attacker with control over a Figma file could potentially embed malicious instructions or scripts in layer names or text properties that could influence the agent's behavior or be improperly handled during code generation.
  • Ingestion points: Design data is retrieved using Figma MCP tools mcp__figma__get_metadata and mcp__figma__get_design_context from remote Figma URLs (SKILL.md, reference/extended.md).
  • Boundary markers: The instructions do not define clear delimiters or specific instructions for the agent to ignore potentially malicious embedded content within the design data.
  • Capability inventory: The skill facilitates production code generation (React/TypeScript) and local file system writes (caching MCP data in the .figma-mcp/ directory) (SKILL.md, reference/extended.md).
  • Sanitization: There are no explicit instructions for the agent to sanitize, validate, or escape the strings retrieved from the Figma API before they are interpolated into the generated component code.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 11:20 AM
Security Audit — agent-trust-hub — figma-to-code