Security risk report for @forgecat/openai_skills_figma-generate-library v0.0.10
Source Integrity
Low
Static scanner rated source as safe.
Profile metadata indicates origin from OpenAI's official skills repository (https://github.com/openai/skills) with Apache-2.0 license.
Commit hash and timestamp provided; no evidence of tampering or supply-chain compromise.
Agent Intent
Low
Content is educational documentation for a Figma design system workflow; it describes WHAT to build and in WHAT ORDER, not instructions to manipulate the AI or exfiltrate data.
Code examples are legitimate `use_figma` plugin scripts for creating design tokens, components, and documentation—no prompt injection, role hijacking, or system prompt leakage attempts.
References to 'ignore previous instructions' or exfiltration patterns appear only in the rubric context (error recovery, cleanup protocols) as part of explaining safe idempotency patterns, not as directives to the agent.
SKILL.md: 'This skill teaches WHAT to build and in WHAT ORDER' — describes workflow, not manipulation.
component-creation.md: Complete JavaScript examples for creating Figma components with variable bindings—standard plugin API usage.
error-recovery.md: Cleanup protocol uses pluginData-based node identification for safe recovery, not destructive name-based deletion.
Permissions
PRM-000Medium
The profile connects to an external MCP server (https://mcp.figma.com/mcp) which provides write access to Figma files — this is broader than a purely read-only tool, though it is scoped to Figma's own official endpoint.
No shell, file_write, file_delete, or file_mutate tool categories are declared, keeping the risk moderate.
The skill orchestrates 20–100+ sequential Figma API calls with write operations (creating pages, components, variables), which is a meaningful level of agency, but it is consistent with the stated design-system-building purpose.
Details
Evidence
MCP server: 'figma' at https://mcp.figma.com/mcp (streamable_http) — external write-capable endpoint
SKILL.md: 'Building a design system requires 20–100+ use_figma calls across multiple phases'
No alwaysApply=true or glob='**' rules; no shell or filesystem tool declarations found
MCP Risk
MCP-000Medium
A single MCP server is defined pointing to https://mcp.figma.com/mcp, which is Figma's own official MCP endpoint — a known, legitimate service rather than an unknown or attacker-controlled binary.
The server uses streamable HTTP and grants write access to Figma files, which is broader than read-only but is scoped to the Figma platform and consistent with the skill's stated purpose.
No hidden instructions were found embedded in tool descriptions, and no unrestricted filesystem or arbitrary binary execution is involved.