frame
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests data from external Figma files via tools like get_design_context and get_variable_defs and packages it for downstream agents. This creates a surface for Indirect Prompt Injection where a malicious Figma file could contain instructions designed to manipulate the behavior of implementing agents.
- Ingestion points: Multiple tools in SKILL.md and references/figma-mcp-server-ga.md ingest untrusted content from the Figma API.
- Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions are present in the handoff templates.
- Capability inventory: The agent can write to the Figma canvas using use_figma and create new files via create_new_file.
- Sanitization: There is no evidence of sanitization or validation of the ingested design data before it is formatted into handoff packages.
- [EXTERNAL_DOWNLOADS]: The documentation in references/infrastructure-constraints.md references the official figma-developer-mcp server to be used via npx. This is a well-known tool provided by Figma for this purpose.
- [COMMAND_EXECUTION]: The use_figma tool enables the execution of scripts through the Figma Plugin API. The skill explicitly requires user confirmation for these operations, which significantly mitigates the risk of unauthorized or malicious canvas modifications.
Audit Metadata