figma-mcp
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The setup guide (
references/setup-guide.md) recommends installing thefigma-developer-mcppackage from an untrusted community source (GLips). Using unverifiable packages from non-trusted organizations poses a supply chain risk. - CREDENTIALS_UNSAFE (LOW): The skill requires users to manage and store Figma Personal Access Tokens (PATs) in configuration files. While the documentation provides warnings against committing these secrets, storing plain-text tokens in local configuration files is a credential exposure risk.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) as it ingests untrusted data from external Figma URLs.
- Ingestion points: Figma design data (JSON) retrieved via
get_figma_data(referenced inSKILL.md). - Boundary markers: No specific delimiters or safety warnings are implemented to prevent the agent from obeying instructions embedded in Figma text layers or metadata.
- Capability inventory: The agent can generate code, read/write files, and execute commands depending on the user's tool environment.
- Sanitization: No sanitization or validation of the retrieved Figma content is mentioned before it is processed for code generation.
Audit Metadata