pp-figma
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the figma-pp-cli utility from the vendor's NPM registry (@mvanhorn/printing-press) and GitHub repository (github.com/mvanhorn/printing-press-library).
- [COMMAND_EXECUTION]: The skill performs shell command execution via the Read Bash tool to drive the Figma CLI and its subcommands.
- [DATA_EXFILTRATION]: The CLI provides a --deliver webhook: flag and a webhooks test --target-url capability, which allow sending the output of Figma data requests (including files, user info, and logs) to arbitrary external URLs.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted data from Figma design files, comments, and webhook payloads into the agent context.
- Ingestion points: Figma file data via files, frame extract, and dev-mode dump commands; user comments via comments-audit command (specified in SKILL.md).
- Boundary markers: No specific boundary markers or instructions to ignore embedded commands are used when interpolating Figma data into the agent's context.
- Capability inventory: The agent has access to Bash execution, network exfiltration via webhooks, and local file system access.
- Sanitization: No sanitization or validation of the content retrieved from Figma is mentioned in the skill definition.
Audit Metadata