Back to skill

Security audit

Figma

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: reads Figma data, exports assets, and writes user-requested reports, with ordinary cautions around tokens and output files.

Install only if you are comfortable granting a Figma token to read the files and team resources it can access. Keep the token out of source control and logs, prefer environment or secret-manager injection over --token, and direct exports/reports to a dedicated folder to avoid overwriting local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises read-only analysis, but its instructions clearly involve network access, reading environment variables, and writing files, while no permissions are declared. This mismatch can mislead users or enforcement systems about what the skill is capable of, reducing transparency and weakening least-privilege controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata describes the capability as read-only analysis, but this function writes an HTML report to a caller-controlled local path. That mismatch breaks the expected trust boundary for a supposedly non-persistent tool and can result in unintended local file creation or overwrite if invoked by an agent or user who assumes no filesystem side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI supports persisting JSON results to an arbitrary output file, which again contradicts the skill's read-only positioning. While not an exploit primitive by itself, this can cause unauthorized local state changes or overwriting of files in environments that rely on the manifest to decide whether the skill may safely run unattended.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata frames the capability as read-only analysis, but this function writes downloaded content to an arbitrary local path. That mismatch increases risk because a caller may authorize or invoke the skill expecting no filesystem side effects, yet the code can create or overwrite files locally.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The CLI can persist API results to disk via --output even though the skill is described as read-only analysis. This is a capability/expectation mismatch that can surprise users and cause unintended local data creation or overwrite.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The client exposes team, project, component, style, and user enumeration functions beyond the manifest's stated file-focused analysis/export scope. In an agent setting, this broader API surface can enable unnecessary collection of organizational metadata and expand blast radius if the token is overprivileged.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The CLI accepts an arbitrary --output path and writes JSON results there without validation or confinement. In an agent context that is presented as 'read-only analysis,' this expands the skill into arbitrary local file write behavior, which could overwrite user files or be abused for filesystem tampering if an untrusted actor can influence arguments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The authentication instructions tell users to place a Figma access token in shell environment variables or append it to a local .env file, but provide no security guidance on protecting that secret. This increases the chance the token is committed to source control, exposed through logs, shared workspaces, or left readable by other local processes/users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
download_image writes remote content directly to a caller-supplied output path without warnings, path restrictions, or overwrite protection. In an agent workflow, that can be abused to place files in unintended locations or overwrite important local files if path input is attacker-controlled.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The --output option writes results to a user-specified path without warning or overwrite checks. While common in CLIs, in a skill/agent context this can still lead to unintended file creation or replacement if consumers rely on the manifest's read-only framing.

Credential Access

High
Category
Privilege Escalation
Content
parser.add_argument('--format', default='png', choices=['png', 'svg', 'pdf'])
    parser.add_argument('--scale', type=float, default=1.0)
    parser.add_argument('--output', help='Output file path')
    parser.add_argument('--token', help='Figma access token (overrides env var)')
    
    args = parser.parse_args()
Confidence
90% confidence
Finding
access token

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
pathlib
Confidence
84% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
pathlib
Confidence
84% confidence
Finding
aiohttp>=3.9.0

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
95% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: aiohttp==3.9.0 — 10 advisory(ies): CVE-2026-54279 (aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
aiohttp==3.9.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.