pp-figma

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the figma-pp-cli tool using npx from the @mvanhorn/printing-press package and go install from the github.com/mvanhorn/printing-press-library repository. These sources are consistent with the vendor's provided infrastructure.
  • [COMMAND_EXECUTION]: The skill utilizes bash commands to perform environment setup, tool installation, and execution of the Figma CLI utility, which is consistent with the skill's stated purpose.
  • [DATA_EXFILTRATION]: The CLI includes a --deliver webhook:<url> feature that allows routing command output to arbitrary external URLs. While documented as a feature for design data delivery, it provides a generic network egress capability for data processed by the tool.
  • [PROMPT_INJECTION]: The skill processes untrusted external data from Figma files, nodes, and comments, creating a surface for indirect prompt injection.
  • Ingestion points: Data enters via the frame extract, dev-mode dump, comments-audit, and files commands which fetch content from the Figma API.
  • Boundary markers: The instructions do not specify the use of delimiters or warnings to ignore instructions embedded within the Figma content.
  • Capability inventory: The skill has access to bash execution, file system writes (--deliver file:), and network egress (--deliver webhook:).
  • Sanitization: There is no evidence of sanitization or validation logic for the content retrieved from Figma before it is provided to the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 01:14 PM
Security Audit — agent-trust-hub — pp-figma