The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted external data from Figma via the Figma MCP server.
Ingestion points: Component names, variant properties, and descriptions are read from Figma files.
Boundary markers: No specific delimiters or safety instructions are defined to separate untrusted Figma content from the agent's logic.
Capability inventory: The agent has the authority to 'Generate missing components', 'Update existing components', and 'Create Code Connect mappings', which involves writing and modifying .tsx and .figma.tsx files.
Sanitization: There is no evidence of sanitization or validation of the text retrieved from Figma before it is interpolated into code generation prompts.
Risk: An attacker with access to the Figma file could insert malicious instructions into component descriptions. The agent, while attempting to 'Sync' or 'Document', might follow these instructions to exfiltrate data, add backdoors to the code, or modify the local environment.
[Command Execution] (MEDIUM): Although the skill does not use direct shell commands, its primary purpose is the automated generation and modification of executable source code files. Any manipulation of the input data results in a persistent modification of the application's logic (code injection).

figma-sync-design-system