The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is susceptible to attacks where malicious Figma design metadata influences agent behavior. 1. Ingestion points: Design context and layer names via mcp0_get_design_context (SKILL.md, Step 1). 2. Boundary markers: Absent; instructions imply direct usage of external strings. 3. Capability inventory: Shell command execution (mkdir, curl) and file-write operations for .tsx files (SKILL.md, Steps 2-3). 4. Sanitization: Absent; no filtering of <illustration-name> or design constants. An attacker can name layers with shell metacharacters or inject React code to compromise the local environment or the web application.
[Command Execution] (MEDIUM): Executes shell commands like mkdir and curl using parameters derived from external Figma metadata, creating a significant command injection surface.
[External Downloads] (LOW): Downloads assets from localhost:3845. While localhost is a whitelisted exfiltration target, it serves as the source of untrusted data processed by the higher-severity injection surfaces described above.

figma-illustration-import