Skills
NYC
skills/johnlindquist/claude/figma/Gen Agent Trust Hub

figma

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill fetches arbitrary design data from the Figma API and interpolates it directly into a prompt for the gemini CLI tool.
  • Evidence: In SKILL.md, the Design to Code with AI section shows $NODE (raw JSON from Figma) being injected into a React code generation prompt.
  • Ingestion points: Data enters the context via curl requests to api.figma.com.
  • Boundary markers: Absent. No delimiters or instructions to ignore embedded commands are present in the interpolation string.
  • Capability inventory: The agent uses the gemini CLI to generate code, and shell redirection to write files.
  • Sanitization: Absent. Raw JSON objects are passed directly to the model.
  • [Unverifiable Dependencies] (MEDIUM): The skill instructs users to install and use a non-standard global package and dynamic plugins.
  • Evidence: bun add -g @figma-export/cli and require('@figma-export/output-components-as-svg'). These are not from the [TRUST-SCOPE-RULE] list of trusted sources.
  • [Dynamic Execution] (MEDIUM): The use of a .figmaexportrc.js configuration file involves executing JavaScript that can include arbitrary require calls and function executions.
  • Evidence: The provided config example uses require(...) to load plugins at runtime.
  • [Data Exposure] (LOW): While the skill uses environment variables for tokens (good practice), it involves fetching content from dynamic URLs retrieved from an external API.
  • Evidence: The export-icons.sh script downloads data from $SVG_URL provided by the Figma API.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:39 AM