Security risk report for @forgecat/openai_skills_figma-create-new-file v0.0.10
Source Integrity
Low
Profile is sourced from OpenAI's official skills repository (github.com/openai/skills) with clear attribution and commit hash.
Licensed under Apache-2.0 and marked as a curated skill with multi-platform testing (Claude Code, Cursor, Codex).
Agent Intent
Low
Content describes a legitimate Figma file creation workflow with no instructions to manipulate the AI, read credentials, or exfiltrate data.
The skill documentation is purely functional: it explains how to parse arguments, resolve plan keys via the whoami tool, and call create_new_file with appropriate parameters.
No guidance poisoning, system prompt leakage, or role hijacking attempts detected; the instructions are transparent and aligned with the stated purpose.
Details
Evidence
Workflow section clearly documents the decision tree for planKey resolution and the create_new_file tool invocation.
No references to reading ~/.ssh, ~/.aws, .env, or exfiltrating data.
No instructions to hide, deny, or reveal system prompts or hidden instructions.
Permissions
Low
The skill uses only the Figma MCP server (figma) with no shell, file_write, file_delete, or other high-risk tool categories.
Authority is narrowly scoped to creating Figma files (design or figjam) in the user's drafts folder, matching the stated purpose.
The whoami tool call is a legitimate prerequisite to resolve the user's plan context before file creation.
Details
Evidence
No declared tools with shell, file_mutate, or file_delete categories.
MCP server is limited to Figma API operations (create_new_file, whoami).
Skill description and workflow are consistent with the minimal permissions required.
MCP Risk
MCP-000Medium
The MCP server points to https://mcp.figma.com/mcp, which is Figma's own official MCP endpoint — a known, reputable external host rather than an arbitrary or attacker-controlled server.
External network access is inherent; any MCP call to a remote host carries a baseline risk of data exposure or dependency on third-party availability.
No hidden instructions are embedded in tool descriptions, and no unrestricted filesystem or shell access is granted through the MCP definition.