moai-design-systems

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly requires using Figma MCP to fetch/extract design tokens and component data from external Figma file URLs (see the "Figma MCP Integration Workflow", the link-based workflow and scripts/sync-figma-tokens.ts calling figma-mcp with a figmaFileUrl), so the agent ingests untrusted, user-generated third‑party Figma content that is then interpreted to generate code and drive follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly uses Figma MCP and Figma file URLs at runtime (e.g., https://www.figma.com/file/XYZ123/DesignSystem and the MCP endpoint https://mcp.figma.com/mcp) — the content fetched from those URLs is injected into prompts and consumed by the figma-mcp CLI (execAsync figma-mcp extract-tokens ...) to generate code/design tokens, so external content directly controls prompts and code generation.