figma-bridge
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified. The skill ingests untrusted content from external Figma files and URLs using tools such as
get_design_contextandget_libraries. Malicious instructions embedded within Figma layer names or metadata could influence agent behavior during processing. - Ingestion points: External Figma file keys, node IDs, and design context data retrieved via MCP tools.
- Boundary markers: No explicit delimiters or instructions are provided to ignore embedded commands in the design data.
- Capability inventory: Executes file writes to
design-state.mdand generates HTML code for prototypes. - Sanitization: There is no mention of sanitizing or validating the content pulled from Figma before it is processed.
- [COMMAND_EXECUTION]: Dynamic code generation surface. The skill generates a self-contained, clickable HTML prototype at runtime when Figma tools are unavailable. This process involves assembling code from project tokens and content strings, which is a form of dynamic execution.
- [COMMAND_EXECUTION]: The skill invokes various Figma-specific MCP tools (e.g.,
use_figma,create_new_file) to perform design operations. This interaction with an external platform through shell-like commands is a core capability of the skill.
Audit Metadata