vibefigma
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill executes
npx vibefigma, which dynamically downloads and runs code from the npm registry. The source package is not from a verified trusted organization. - Data Exposure & Exfiltration (LOW): The skill manages Figma Access Tokens. While using environment variables and .env files is standard practice, it requires the agent to handle sensitive credentials.
- Indirect Prompt Injection (LOW): The skill processes Figma design data which could contain malicious instructions. Evidence: 1. Ingestion: Figma design URL (SKILL.md). 2. Boundary markers: Absent. 3. Capability: CLI execution and file writing (SKILL.md). 4. Sanitization: Absent.
- Privilege Escalation (LOW): The skill utilizes the
--forceflag to overwrite local files, bypassing safety checks for existing user content.
Audit Metadata