The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (MEDIUM): The module modules/core.md contains logic for dynamic package detection using require with computed paths (e.g., require(${projectPath}/package.json)). This is a dynamic loading pattern that could be exploited to execute arbitrary code if the path or file content is controlled by an attacker.
[COMMAND_EXECUTION] (MEDIUM): The skill performs extensive filesystem operations in modules/advanced.md and modules/core.md, including fs.writeFileSync and fs.mkdirSync. These are used to write source code and assets fetched from external sources (Figma API) directly to the local disk, which is a high-risk operation.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the Figma API and processes it to generate executable code. A malicious Figma file could contain injected instructions in metadata or component names designed to compromise the downstream development environment.
Ingestion points: mcp__figma__get_variable_defs and mcp__figma__get_design_context (File: modules/advanced.md, modules/core.md).
Boundary markers: None present in the provided context to delimit external data from instructions.
Capability inventory: Extensive use of fs.writeFileSync (writes .ts, .json, .css files) and fs.mkdirSync to persist generated content.
Sanitization: No input validation or sanitization of the Figma-derived content is shown before it is used in code generation.

moai-connector-figma