Security risk report for @forgecat/openai_skills_figma-code-connect-components v0.0.10
Source Integrity
Low
Static scanner assessed source as safe.
Profile originates from OpenAI's official skills repository (github.com/openai/skills) with Apache-2.0 license and documented commit hash, indicating legitimate upstream provenance.
Agent Intent
Low
Content describes legitimate Figma Code Connect workflows (component mapping, codebase scanning, tool invocation) without injecting hidden instructions or role hijacking.
No instructions to read credentials, exfiltrate data, reveal system prompts, or install malicious payloads.
Guidance on component matching and prop comparison is standard design-to-code practice, not poisoned knowledge or security-weakening defaults.
Details
Evidence
Step 1–4 workflow is transparent: get suggestions → scan codebase → present matches → create mappings.
URL parsing instructions (node-id hyphen-to-colon conversion) are technical clarifications, not obfuscated directives.
No references to bypassing authentication, disabling TLS, or installing untrusted dependencies.
Permissions
PRM-000Medium
The profile declares no explicit tool categories, but the workflow instructs the agent to scan the codebase (reading arbitrary files in src/components/, app/components/, lib/ui/, etc.), which constitutes implicit file-read authority.
The MCP server at https://mcp.figma.com/mcp is an external network endpoint, adding web_fetch/external-host access beyond a purely local operation.
These permissions are broadly consistent with the stated Figma Code Connect purpose, but codebase scanning scope is not tightly bounded and could touch sensitive project files.
Details
Evidence
"Search for component files with matching names" / "Read candidate files to check structure and props"
"Check common component paths: src/components/, app/components/, lib/ui/"
MCP server: "url": "https://mcp.figma.com/mcp"
MCP Risk
MCP-000Medium
The MCP server points to https://mcp.figma.com/mcp, an external host operated by Figma; while Figma is a well-known vendor, any external MCP endpoint introduces network egress and potential credential transmission risk.
No hidden instructions or suspicious tool descriptions are embedded in the MCP server definition itself.
The server is scoped to Figma-specific operations (get_code_connect_suggestions, send_code_connect_mappings) and does not appear to grant unrestricted filesystem or shell access.