figma-plugin
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The documentation correctly describes the Figma sandbox architecture, which isolates the main thread (API access) from the UI thread (browser environment), providing a secure execution model.
- [EXTERNAL_DOWNLOADS] (LOW): The skill mentions loading external resources like Google Fonts and libraries from jsDelivr in the UI thread. These are standard web development practices and are subject to Figma's manifest-based 'networkAccess' controls and the browser iframe sandbox.
- [DATA_EXFILTRATION] (SAFE): While the documentation describes how to export node data and make network requests, these are legitimate features of the Figma API used for design automation and asset export. The skill correctly identifies that such access must be explicitly declared in the manifest file.
- [COMMAND_EXECUTION] (SAFE): The build instructions provide standard configurations for esbuild, vite, and webpack. No malicious or obfuscated commands were identified.
Audit Metadata