Skills
skills/yonatangross/orchestkit/figma-design-handoff/Gen Agent Trust Hub

figma-design-handoff

Pass

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill facilitates data retrieval from well-known services, specifically the Figma REST API (api.figma.com) and Applitools (applitools.com), for design token extraction and visual regression testing.
  • [COMMAND_EXECUTION]: The workflow incorporates the execution of standard build and testing tools including Node.js scripts, Style Dictionary, Playwright, and the Applitools CLI to automate the conversion of design assets into code.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from external sources.
  • Ingestion points: Data is ingested via the Figma REST API and local tokens/figma-raw.json files.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands were identified in the provided configuration examples.
  • Capability inventory: The agent has the capability to execute subprocesses (e.g., node, npx) for token transformation and to perform network requests via WebFetch.
  • Sanitization: There is no evidence of sanitization or validation of the content retrieved from the design files before it is processed by the transformation scripts.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 16, 2026, 06:22 PM