Skills
skills/southleft/skills-for-figma/export-tokens-figma/Gen Agent Trust Hub

export-tokens-figma

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a local Node.js script (scripts/convert-tokens.mjs) to perform token conversion. This is a deterministic process that runs locally with zero external dependencies, reducing the risk of execution-based attacks.
  • [PROMPT_INJECTION]: The skill ingests design data from Figma, which represents a surface for indirect prompt injection through variable names or descriptions.
  • Ingestion points: Data is retrieved from the Figma Plugin API via the read-variables.js script.
  • Boundary markers: The workflow mitigates risk by instructing the agent to use the provided conversion script rather than processing variable content directly through the model.
  • Capability inventory: The skill uses the use_figma tool for data retrieval and shell execution (node) for the conversion process.
  • Sanitization: The convert-tokens.mjs script performs strict JSON parsing, value type validation, and slugification of variable names to ensure safe output formatting.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 08:59 AM
Security Audit — agent-trust-hub — export-tokens-figma