sync-figma-token
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill synchronizes data with Figma variables, a well-known and legitimate service. This interaction is the primary purpose of the skill and is managed via authorized MCP servers with user oversight.\n- [PROMPT_INJECTION]: The skill processes external data from token files and source code, presenting a surface for indirect prompt injection. This risk is mitigated by the mandatory safety rule requiring a dry-run and manual user confirmation before applying any changes. Evidence: Ingestion points: tokens.json, platform theme sources; Boundary markers: None; Capability inventory: use_figma write operations; Sanitization: None.\n- [SAFE]: Execution reports are persisted to the /tmp directory, which is standard practice for temporary file management and does not involve access to sensitive user configuration paths.
Audit Metadata