The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): Multiple scripts (add_code_connect.sh, get_design_context.sh, get_screenshot.sh, get_variables.sh) construct a string for mcporter call by interpolating shell variables like $SOURCE, $COMPONENT_NAME, and $NODE_ID directly into a double-quoted string.
Evidence: In scripts/add_code_connect.sh, the line mise x node@20 -- mcporter call "figma-desktop.add_code_connect_map($PARAMS)" executes a string where $PARAMS is built from user-controlled inputs. A malicious string (e.g., containing "), some_other_command() //) could manipulate the intended logic or execute unintended functions within the mcporter context.
DATA_EXFILTRATION (MEDIUM): The script scripts/get_screenshot.sh allows the caller to specify an arbitrary output file path via the --output parameter.
Evidence: The script executes mise x node@20 -- mcporter call ... > "$OUTPUT_FILE" without validating that the path is within a safe directory. This can be exploited to overwrite sensitive user files like ~/.bashrc or ~/.ssh/authorized_keys if the agent is tricked via prompt injection.
INDIRECT_PROMPT_INJECTION (LOW): The skill processes data from Figma (node IDs, component names). Since these are interpolated into command strings, a malicious Figma design file containing specifically crafted node names could trigger the command injection vulnerabilities described above.
EXTERNAL_DOWNLOADS (SAFE): The scripts use mise to manage the Node.js environment, which is a standard and trustworthy tool-chain manager.

figma