figma
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Persistence Mechanisms (MEDIUM): Instructions in
references/figma-mcp-config.mdsuggest modifying shell startup files (~/.zshrc,~/.bashrc) to persist theFIGMA_OAUTH_TOKEN. While standard for developer environment variable configuration, modifying startup files is a persistence technique. Severity is reduced from HIGH to MEDIUM as it is associated with the primary setup purpose. - Indirect Prompt Injection (LOW): The skill ingests untrusted design context from Figma (via
get_design_contextandget_metadatatools). Ingestion points: External Figma design nodes; Boundary markers: None present in the instructions to prevent the model from following instructions embedded in design metadata; Capability inventory: The agent generates and implements production code in the project environment; Sanitization: None specified. - External Downloads (LOW): The agent establishes network connections to an external MCP server at
https://mcp.figma.com/mcp, which is not a whitelisted or predefined trusted source.
Audit Metadata