Skills
skills/southleft/figma-console-mcp-skills/figma-generate-changelog/Gen Agent Trust Hub

figma-generate-changelog

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to parse file keys from URLs using sed and to run local Node.js scripts for data processing.
  • [EXTERNAL_DOWNLOADS]: Fetches design metadata and version history from the Figma REST API (api.figma.com). This targets a well-known service and is the primary function of the skill.
  • [DATA_EXPOSURE]: The skill requires a Figma Personal Access Token for authentication. It correctly instructs the user to provide this via the FIGMA_TOKEN environment variable rather than hardcoding it in scripts or instructions.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted design data (page names, component descriptions) from the Figma API.
  • Ingestion points: Figma REST API (api.figma.com).
  • Boundary markers: Output is formatted into markdown sections.
  • Capability inventory: Shell execution of node and sed scripts.
  • Sanitization: The generate-changelog.mjs script includes an escapeMd function that escapes common markdown control characters (backticks, asterisks, etc.) to prevent structural breaks or injection in the generated report.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 03:56 AM
Security Audit — agent-trust-hub — figma-generate-changelog