penpot-mcp-operator

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the execute_code tool to run JavaScript snippets within the Penpot plugin context. This is the core functionality required to inspect and modify design files programmatically.
  • [DATA_EXFILTRATION]: The documentation contains strong security directives instructing the agent to never log, commit, or share the userToken required for remote MCP access, effectively mitigating credential exposure risks.
  • [PROMPT_INJECTION]: As the skill reads and processes data from active design files (such as layer names and object keys), it possesses an indirect prompt injection surface. However, the skill mandates a 'read-only probe' and 'API-first' workflow to ensure actions are based on verified structural data rather than untrusted content.
  • [SAFE]: All external references, including documentation and code repositories, point to official Penpot domains and GitHub organizations, which are recognized as well-known and legitimate services for this skill's purpose.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 12:23 PM
Security Audit — agent-trust-hub — penpot-mcp-operator