ui-to-figma
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill provides instructions to install external packages from npm (
@figma/mcp-server) and npx (figma/mcp-server-guide). As the 'figma' organization is not included in the predefined list of trusted GitHub organizations or repositories, these are classified as unverifiable dependencies. - COMMAND_EXECUTION (LOW): The skill utilizes command-line tools for setup (pip, npm, npx) and executes Python scripts to automate browser interactions via Playwright. These actions are aligned with the skill's purpose but involve execution of local code.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted project files to extract design tokens.
- Ingestion points: Reads
tailwind.config.js, various CSS files, and component source files (.tsx,.jsx,.vue,.svelte). - Boundary markers: No specific delimiters or safety warnings are implemented to prevent the agent from obeying instructions hidden within these files.
- Capability inventory: The agent can write to the local file system (
design-tokens.md), execute browser-based tasks through Playwright, and modify cloud-based designs via the Figma MCP API. - Sanitization: No sanitization or validation logic is present to filter malicious instructions embedded in the ingested source code content.
Audit Metadata