figma-export-tokens
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill does not perform any network operations, use external dependencies, or include obfuscated code. Its logic is contained within two local scripts reviewed for safety.
- [COMMAND_EXECUTION]: The skill utilizes a local Node.js script (
scripts/convert-tokens.mjs) to transform design data. The script uses standard file system modules (fs,path) to read local JSON and write token files to a user-specified directory. No arbitrary command execution or shell injection points were identified. - [PROMPT_INJECTION]: The skill processes variable names and descriptions from Figma files (indirect prompt injection surface). However, the script treats these as literal strings for design tokens and does not execute them or pass them into prompt interpolation in a way that could override agent behavior.
- [DATA_EXFILTRATION]: While the skill reads Figma variable data, it is processed locally and written to the local filesystem. There are no patterns of exfiltrating this data to remote servers.
Audit Metadata