figma-to-code
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest and analyze external data (Figma designs/screenshots). This creates a potential attack surface where malicious instructions could be hidden in the UI text or metadata of a Figma file. However, because the skill only provides guidance for code generation and lacks automated execution or network exfiltration capabilities, the risk is negligible.
- Data Exposure & Exfiltration (SAFE): No hardcoded credentials, sensitive file paths, or network operations were detected. The skill operates entirely within the context of analyzing designs provided by the user.
- Remote Code Execution & Dependencies (SAFE): The skill mentions a technical stack (Next.js, Tailwind, Framer Motion) as a target for generation, but it does not perform any package installations or execute remote scripts.
- Obfuscation (SAFE): The content is clear and uses standard Markdown formatting with no hidden characters or encoded strings.
Audit Metadata