figma-design-pipeline
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data from external Figma designs and uses it to drive code generation and verification workflows.
- Ingestion points: Processes data from a user-provided Figma URL in Step 2 and Step 3.
- Boundary markers: There are no explicit delimiters or instructions to the model to ignore potential commands embedded in Figma layer names, comments, or metadata.
- Capability inventory: The pipeline has the capability to write files to the local file system (via
figma-to-code) and execute logic based on the design input. - Sanitization: No sanitization or validation of the retrieved design content is performed before processing.
- Command Execution (MEDIUM): The skill dynamically executes other logic by reading and following instructions in
.claude/skills/figma-to-code/SKILL.mdand.claude/skills/design-check/SKILL.md. This creates a significant attack surface if those local skill files are tampered with or contain their own vulnerabilities. - Credentials Unsafe (LOW): The skill requires and references the
FIGMA_TOKENenvironment variable. While it does not hardcode the secret, the workflow depends on the presence of this sensitive credential, which could be targeted by other malicious skills or through exfiltration if the environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata