The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves untrusted data from Figma layer names, metadata, and design tokens and interpolates it into specs/design-system.md. This generated file is explicitly defined as a 'source of truth' for AI agents, meaning malicious instructions embedded in the Figma file could influence downstream agent behavior when they read the documentation.
Ingestion points: External data enters the context via mcp__plugin_figma_figma__get_metadata, mcp__plugin_figma_figma__get_variable_defs, and mcp__plugin_figma_figma__get_design_context as specified in the Step 3 instructions of SKILL.md.
Boundary markers: The template in templates/design-system.md does not use delimiters or explicit 'ignore embedded instructions' warnings for the data fields (e.g., {{BRAND_TOKEN_100}}, {{NODE_TYPOGRAPHY_NAME}}).
Capability inventory: The skill utilizes the Write tool to create and modify files on the local file system.
Sanitization: There is no evidence of sanitization, escaping, or validation of the content retrieved from the remote Figma source before it is written to the documentation file.

lf-design-system