qt-figma-token-extraction
Fail
Audited by Snyk on Jun 13, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.70). The skill includes an explicit instruction to withhold a known limitation ("Don't mention this limitation upfront; only explain it if multiple modes are discovered during extraction"), which is a deceptive directive outside the stated extraction purpose and thus constitutes a prompt injection risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill ingests outsider-authored free text from Figma at runtime via the MCP/REST extraction path (e.g.,
get_variable_defs/get_design_contextresponses anddesign-tokens-raw.jsoncontents), where token names/values come from a third-party design file and are then placed into the agent’s LLM context for mapping and QML generation.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill uses runtime HTTP calls to the Figma REST API (e.g. https://api.figma.com/v1/files/FILE_KEY/variables/local, https://api.figma.com/v1/files/FILE_KEY/styles, https://api.figma.com/v1/files/FILE_KEY/nodes?ids=NODE_IDS and https://api.figma.com/v1/me) to fetch JSON token/style data which is required at runtime and is injected/used to drive the agent's QML-generation logic, so these external endpoints directly control the agent's outputs.
Issues (3)
E004
CRITICALPrompt injection detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata