figma-to-react
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill provides instructions for a legitimate developer workflow, focusing on the accurate transformation of design data into production-ready code using platform-provided tools.
- [EXTERNAL_DOWNLOADS]: The skill references Google Fonts (fonts.googleapis.com and fonts.gstatic.com), which are well-known services, to ensure that typography in the generated components matches the source design precisely.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection due to its core function of processing external design data.
- Ingestion points: External design data retrieved via mcp__figma__get_metadata and mcp__figma__get_design_context (SKILL.md).
- Boundary markers: Absent; there are no specific delimiters or instructions to treat the incoming Figma data as untrusted content separate from the agent's instructions.
- Capability inventory: The skill allows for the generation of complex React and Next.js components, involving significant code synthesis capabilities.
- Sanitization: Absent; the skill does not include steps to sanitize or filter the metadata or design context retrieved from the Figma API before it is processed by the model.
Audit Metadata