The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted external data from Figma files.
Ingestion points: Design metadata, component descriptions, property names, and variable definitions are extracted via Figma:get_design_context and Figma:get_variable_defs (documented in SKILL.md and references/spec-driven-development.md).
Boundary markers: None. There are no instructions to the agent to delimit or ignore potential natural language instructions embedded within the extracted Figma metadata.
Capability inventory: The agent has extensive capabilities including writing React components, SCSS files, and token definitions to the local filesystem, as well as executing shell commands and deleting files.
Sanitization: None. Extracted strings (e.g., from Figma descriptions) are directly interpolated into generated documentation (references/props-template.md) and code comments, allowing an attacker to potentially influence the agent's behavior during the generation process.
[COMMAND_EXECUTION]: The skill utilizes shell commands for project discovery and file management.
Discovery: references/token-mapping-guide.md specifies the use of shell utilities fd and rg (ripgrep) to locate token files (e.g., fd '\.scss$' --type f | rg -l '\$color-|...\').
File Deletion: SKILL.md Phase 8 explicitly instructs the agent to delete files from the local filesystem, such as 'root-level SVG files' and 'temporary images', which presents a risk of unintended data loss if the agent's scope is manipulated.
[COMMAND_EXECUTION]: The workflow involves generating and saving multiple files (React components, stylesheets, Storybook stories) to the local directory, which is a core function but requires careful oversight to prevent directory traversal or file overwriting if component names are maliciously crafted in Figma.

figma-to-react-components