Back to skill

Security audit

Figma To Mobile

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Figma-to-mobile code skill, but it deserves review because it automatically persists feedback logs and its README still describes unsafe token storage that conflicts with the runtime instructions.

Before installing, plan to set FIGMA_TOKEN yourself through your shell or platform secret mechanism and do not paste it into chat or save it to a repository .env file. Only approve project scanning for a specific project directory you are comfortable indexing, and review or disable feedback-log.md behavior if correction history, code snippets, or design details should not be retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill uses sensitive capabilities including environment access, network calls, local file reads, and local file writes, but does not declare permissions or prominently surface them as part of a constrained trust model. This increases the chance that the skill will access tokens, scan local projects, or persist data without clear platform-level review or user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is UI code generation from Figma, but the behavior expands into project scanning, feedback persistence and analysis, SVG export, diffing multiple states, and broader dependency/layout analysis. This mismatch undermines informed consent because users may invoke the skill for design conversion without realizing it can inspect local codebases and retain derived data over time.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README states that the agent will prompt for a Figma personal access token and automatically write it to the project root `.env` file. That expands behavior from design conversion into credential collection and persistence, which is security-sensitive because project directories are often committed, shared, or accessed by other tools. In this skill context, the danger is increased because users are encouraged to paste a secret directly into agent flow.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The feedback loop describes recording errors and adjustments in `feedback-log.md`, analyzing them, and updating `references/` for future runs. This introduces a persistence and self-modification pathway beyond the core purpose of Figma-to-mobile generation, and it can capture sensitive project details, prompts, code fragments, or design metadata that were not intended for long-term retention. In an agent skill, undocumented learning behavior is especially risky because users may not expect their interactions to be stored and reused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The README explicitly says the agent will prompt for a Figma personal access token and save it to a local `.env` file automatically. Persisting a secret obtained through conversational prompting increases exposure risk because `.env` files are often left on disk, accidentally committed, or accessible to other local tooling, which goes beyond the minimum needed to perform a one-time API call.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill expands from one-time code generation into persistent feedback logging and later analysis, creating a secondary data-collection function unrelated to the immediate user request. This persistence can accumulate user content, project details, and correction history that may expose sensitive implementation information over time.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic long-term feedback collection is not necessary to convert a Figma frame into code and therefore exceeds the user's likely expectation for this skill. Because the log format captures before/after snippets and issue descriptions, it can preserve proprietary UI code, project structures, or sensitive naming details without clear necessity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically writing a Figma token into `.env` without a prominent warning normalizes unsafe credential handling. Users may paste long-lived personal access tokens into a repository workspace, where they can be exposed through version control, backups, logs, or other tooling. The skill context makes this more dangerous because it explicitly guides the user through secret entry in conversational flow rather than delegating to a safer secret-management mechanism.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation normalizes pasting a personal access token into the agent workflow and states it will be saved automatically, but does not clearly explain the security implications of local secret storage. This can mislead users into disclosing credentials without understanding persistence, reuse, and accidental leakage risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Triggering on any message containing a Figma link is overly broad and may cause the skill to activate, analyze, or prompt for access in contexts where the user did not intend to invoke a code-generation workflow. Broad activation increases the risk of unnecessary network access and local project interaction, especially in mixed conversations containing links for reference only.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs automatic writes to feedback-log.md whenever the user corrects output, but does not require a warning or consent flow before persisting user-provided content. Silent local persistence can store proprietary design requirements, code snippets, or internal component names without the user's knowledge.

Ssd 3

Medium
Confidence
84% confidence
Finding
Persistent logging and later analysis of user/agent interactions can capture sensitive natural-language content, code snippets, internal component names, and proprietary design information. Because the README frames this as an automatic quality-improvement loop, users may be unaware that project context is being retained and mined for future behavior. In this skill, that is particularly relevant because it operates on private codebases and design assets.

Ssd 3

High
Confidence
96% confidence
Finding
The README instructs the agent to ask the user for a Figma token and then automatically store it in `.env`, which is direct collection and persistence of a sensitive credential through chat workflow. This is dangerous because users may reveal a long-lived secret to the agent and have it written into a project directory where it can be leaked via commits, local scans, shell history, backups, or other automation. Given this skill's project-scanning behavior, the context increases risk rather than reducing it.

Ssd 3

Medium
Confidence
94% confidence
Finding
Instructing the agent to solicit a personal access token and save it automatically creates an unnecessary secret-collection and secret-retention behavior inside the skill. Even if intended for legitimate API access, this broadens the attack surface by placing sensitive credentials into agent-managed local files that may be exposed through logs, backups, or source control mistakes.

Ssd 3

Medium
Confidence
97% confidence
Finding
The prescribed feedback entries include platform, issue descriptions, and before/after snippets, which can capture sensitive user content and proprietary code or UI mapping details. Because logging is automatic and ongoing, it creates a local retention store without minimization, selective redaction, or case-by-case necessity review.

Credential Access

High
Category
Privilege Escalation
Content
3. Ask clarifying questions if needed
4. Generate production-ready code files that reference your existing colors, strings, and components

> **Figma Token** — Required on first use. If `FIGMA_TOKEN` is not set, the agent will prompt you to paste your token (Figma → Settings → Security → Personal Access Tokens) and save it to `.env` automatically.

## Supported Platforms
Confidence
88% confidence
Finding
Access Tokens

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.