Security risk report for @forgecat/openai_skills_figma-implement-design v0.0.10
Source Integrity
Low
Profile claims OpenAI authorship and references a GitHub repository (https://github.com/openai/skills) as original source, but ForgeCat registry content is untrusted data and cannot verify upstream legitimacy.
Static scanner assessed source as safe; no evidence of supply-chain poisoning in the declared metadata or MCP configuration itself.
Agent Intent
INT-000Medium
Skill instructions nudge the agent toward fetching external Figma URLs and downloading assets from 'localhost' sources served by the Figma MCP server without explicit validation of asset origin or integrity.
Step 4 ('Download Required Assets') instructs the agent to use 'localhost' sources directly and explicitly forbids creating placeholders, which could be exploited if a malicious MCP server injects attacker-controlled asset URLs.
The workflow references switching to other skills (figma-use, figma-generate-design, etc.) without verifying those profiles are safe, creating a potential chain-of-trust risk.
Details
Evidence
"If the Figma MCP server returns a `localhost` source for an image or SVG, use that source directly"
"DO NOT import or add new icon packages - all assets should come from the Figma payload"
"Assets are served through the Figma MCP server's built-in assets endpoint"
"If the user asks to create/edit/delete nodes inside Figma itself, switch to [figma-use](../figma-use/SKILL.md)"
Permissions
PRM-000Medium
No explicit shell, file_write, or file_delete tool categories are declared, keeping the risk moderate.
The skill does instruct the agent to write files into the user's repository (placing UI components in designated directories), which implies implicit file-write authority even without a declared tool.
The scope is reasonably bounded to Figma-related UI code generation, but the file-writing behavior warrants awareness.
Details
Evidence
"Place UI components in the project's designated design system directory"
"the deliverable is code in the user's repository"
"create new component using project conventions"
MCP Risk
MCP-000Medium
The MCP server points to `https://mcp.figma.com/mcp`, which is Figma's official hosted MCP endpoint — a known external service, not an arbitrary or attacker-controlled binary.
External host access introduces a network dependency; all design context, screenshots, and assets are fetched from this remote endpoint, meaning the agent sends Figma file keys and node IDs to an external server.
No hidden instructions were found in tool descriptions, and no unrestricted filesystem or shell access is configured, keeping risk at caution rather than danger.
Details
Evidence
{"figma": {"url": "https://mcp.figma.com/mcp"}}
"Run `get_screenshot(fileKey=..., nodeId=...)` for visual reference"
"Assets are served through the Figma MCP server's built-in assets endpoint"