Security risk report for @forgecat/openai_skills_figma-generate-design v0.0.10
Source Integrity
Low
Profile sourced from OpenAI's official skills repository (github.com/openai/skills) with clear attribution and Apache-2.0 license.
Commit hash and timestamp provided; no evidence of tampering or supply-chain injection.
Agent Intent
Low
Content describes legitimate Figma design workflow (screen creation, design system reuse, component discovery) with no instructions to manipulate the AI, read credentials, exfiltrate data, or bypass security controls.
Skill boundaries and prerequisites are clearly documented; no hidden instructions to ignore prior guidance or install remote payloads.
Guidance on design system discovery and component reuse is standard practice, not poisoning — recommends using published design system tokens instead of hardcoding values, which is a security-positive pattern.
Details
Evidence
"Discovers design system components, variables, and styles via search_design_system, imports them, and assembles screens incrementally section-by-section using design system tokens instead of hardcoded values."
"Follow these steps in order. Do not skip steps." — procedural clarity, not role hijack.
"Only fall back to `search_design_system` when the file has no existing screens to reference." — conditional logic, not unconditional exfiltration.
Permissions
PRM-000Medium
The profile declares no explicit tool categories, but the workflow heavily relies on an external MCP server (mcp.figma.com) for all Figma operations, which constitutes external network access beyond a purely local scope.
The skill instructs the agent to read source files ('read the relevant source files to understand the page structure') which implies file-read access, though this is consistent with a code-to-Figma translation purpose.
Authority appears broadly matched to the stated purpose (Figma screen generation), but the combination of file reading and external MCP calls warrants mild caution.
Details
Evidence
"If building from code, read the relevant source files to understand the page structure, sections, and which components are used."
"Figma MCP server must be connected" — all Figma mutations flow through https://mcp.figma.com/mcp
"Run generate_figma_design to capture a pixel-perfect screenshot of the running web app" — implies ability to render/interact with live web apps
MCP Risk
MCP-000Medium
The MCP server points to https://mcp.figma.com/mcp, which is Figma's own official hosted endpoint — a known, legitimate service — reducing supply-chain risk.
However, the server is an external host accessed over the network, and the profile grants it the ability to read and write Figma files, which is a non-trivial permission surface.
No hidden instructions were found in tool descriptions, and no arbitrary binary execution or full filesystem access is declared.