figma
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests design data from Figma which could be manipulated by an attacker to include hidden instructions.
- Ingestion points:
get_design_contextandget_metadatatools. - Boundary markers: None present.
- Capability inventory: Translating designs into React/Tailwind code and managing assets.
- Sanitization: None present.
- Data Exposure & Exfiltration (LOW): The skill communicates with
mcp.figma.com, which is outside the whitelist. Thewhoamitool also allows retrieval of user identity information (email, plan). - External Downloads (LOW): The agent is configured to connect to a remote MCP server at
https://mcp.figma.com/mcp. This finding is downgraded to LOW because the skill author (OpenAI) is a trusted organization.
Audit Metadata