figma
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation provides instructions for managing a sensitive FIGMA_OAUTH_TOKEN and suggests persisting it in plain text within shell initialization files.
- [DATA_EXFILTRATION]: The skill setup involves accessing and modifying sensitive local configuration and shell profile files, including ~/.bashrc, ~/.zshrc, and ~/.codex/config.toml.
- [PROMPT_INJECTION]: The design-to-code workflow introduces a surface for indirect prompt injection by fetching and processing external design metadata and node names from the Figma API.
- Ingestion points: Design content retrieved via tools such as get_design_context and get_metadata.
- Boundary markers: No explicit instructions or delimiters are used to prevent the agent from executing instructions embedded in design strings.
- Capability inventory: The agent has the ability to write production code to the filesystem and initiate network downloads for assets.
- Sanitization: There is no specification for sanitizing or validating strings received from the Figma API before processing.
Audit Metadata