figma-blame-node
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill and its included Node.js script perform legitimate file history analysis and do not contain any malicious patterns, obfuscation, or unauthorized access attempts.
- [CREDENTIALS_UNSAFE]: The skill securely handles authentication by requiring users to set a Figma Personal Access Token in their environment (
FIGMA_TOKEN), which is a recommended practice to avoid hardcoding or leaking credentials. - [EXTERNAL_DOWNLOADS]: Network requests are exclusively sent to the official Figma API domain (
api.figma.com). This restricted scope prevents data exfiltration to untrusted third-party servers. - [COMMAND_EXECUTION]: The instructions guide the user through standard shell operations and script execution necessary for the tool's function, without any patterns suggesting privilege escalation or malicious persistence.
Audit Metadata