The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the requests Python library to be installed via pip. This is a well-known and standard package for handling HTTP operations.
[PROMPT_INJECTION]: The skill processes untrusted external data from Figma, creating an indirect prompt injection surface.
Ingestion points: The script fetches file metadata, component descriptions, and user comments from the Figma API.
Boundary markers: None present. Data is output as structured JSON for the agent to consume.
Capability inventory: The skill uses Bash and Read tools and performs network operations to api.figma.com.
Sanitization: Content is provided as raw JSON strings without filtering for potential instructions embedded in design comments or names.
[CREDENTIALS_UNSAFE]: The skill documentation correctly instructs users to store their API token in a local config.json file rather than hardcoding it in the script. The script identifies the path for this file based on its own location.

figma-skill