Back to skill

Security audit

Figma To Mobile

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent Figma-to-mobile-code helper, but one included Chinese README still tells users to paste a Figma token and let the agent save it into a project .env file.

Review the credential setup carefully before installing. Set FIGMA_TOKEN yourself through your shell or a secure secret mechanism; do not paste the token into chat or allow it to be saved into a project .env file. If using project scanning, point it only at the relevant app directory, and enable feedback logging only when any retained snippets are safe to keep locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to use sensitive capabilities including environment access, network calls to the Figma API, local project reads, and writing files such as feedback logs, but does not declare corresponding permissions. This creates a trust and containment problem: users and policy systems may not realize the skill can access tokens, inspect local resources, and persist data to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose understates behavior that includes comparing multiple Figma states, exporting nodes as SVG through the Figma images API, and analyzing feedback logs into reports. Undisclosed behaviors increase the risk of unexpected data access, additional external API usage, and extra local file processing beyond what a user would reasonably expect from a simple design-to-code converter.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README states the agent will prompt for a Figma personal access token and automatically write it into the project root `.env` file. That introduces credential collection and local file modification behavior beyond pure Figma-to-code conversion, and storing secrets in a project directory increases the chance of accidental inclusion in source control, logs, or other tooling access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented flow asks the user to paste a sensitive access token and says it will be automatically written to `.env`, but it does not clearly warn about credential-handling risks. In an agent context, normalizing secret submission to the model and workspace storage can lead to disclosure through transcripts, accidental commits, or reuse by other tools with project access.

Ssd 3

Medium
Confidence
96% confidence
Finding
Directing the agent to solicit a Figma access token and store it in a project-local `.env` file creates a secret-handling path that can expose credentials to the agent, local workspace, and repository-adjacent processes. This is more dangerous in this skill because the agent already scans local projects, so it has broad workspace interaction and the token storage occurs in the same area that may later be indexed, edited, or committed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.