moai-design-tools
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The documentation in
reference/figma.mdandreference/pencil-renderer.mdinstructs the setup of MCP servers usingnpx -y @modelcontextprotocol/server-figmaandnpx -y @modelcontextprotocol/server-pencil. These packages are downloaded from a remote registry at runtime. - [REMOTE_CODE_EXECUTION] (HIGH): The use of
npxto execute remote packages without version pinning or integrity verification constitutes remote code execution. The@modelcontextprotocolorganization is not included in the predefined trusted source list, making these unverified dependencies. - [COMMAND_EXECUTION] (MEDIUM): The skill explicitly requests
Bashpermissions inSKILL.md. While intended for developer workflows, this capability can be leveraged to execute arbitrary system commands if the agent is compromised or misled. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Fetches design metadata, component descriptions, and DNA codes from external Figma and Pencil files via MCP tools.
- Boundary markers: Absent. The skill does not define delimiters or instructions for the agent to ignore commands embedded within the design data.
- Capability inventory: Includes
Bash,Write,Edit, andWebFetch, which could be exploited by malicious instructions hidden in design files. - Sanitization: Absent. There is no evidence of input validation or sanitization for the fetched design context.
Recommendations
- AI detected serious security threats
Audit Metadata