Security audit

Figma To Static 2.0.5

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Figma-to-HTML/CSS workflow that handles sensitive Figma and Claude authentication, so users should review the auth setup but the artifacts do not show malicious behavior.

Install only if you are comfortable letting the skill use Figma credentials and, optionally, the local Claude credential store for Figma MCP. Prefer explicit FIGMA_MCP_TOKEN or FIGMA_TOKEN when possible, review any Claude CLI/MCP setup command before running it, and do not share or commit temporary auth-lock files, callback URLs, code#state values, or credential files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: A large portion of the skill is devoted to generic Claude CLI login, OAuth handoff, session locking, and MCP account setup rather than Figma-to-static conversion. Expanding into generalized auth and account-management procedures increases attack surface and the chance that sensitive auth artifacts or local account state are handled in contexts where users did not expect that behavior.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This script manages Claude OAuth login state, which is unrelated to a Figma-to-static HTML/CSS skill and therefore represents hidden identity/authentication functionality outside the declared scope. In an agent skill context, undeclared auth-handling code can be used to facilitate unauthorized account linking, token capture workflows, or covert session manipulation, making the mismatch itself a strong security signal.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code acquires, persists, and validates Claude OAuth state and callback/code inputs, introducing account authentication/session-state handling that is not justified by the skill's stated design-to-code purpose. In this context, hidden OAuth workflow support is dangerous because it can enable account handoff or session abuse under the guise of an unrelated skill, increasing the likelihood of credential or session compromise.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This script is unrelated to the declared Figma-to-static HTML/CSS purpose and instead classifies Claude REPL authentication states to determine when it is 'safe' to request and submit auth artifacts like code#state. That creates a strong indicator of hidden credential-handling or session-hijacking functionality embedded in an unrelated skill, which materially increases the risk of unauthorized account access or deceptive operator workflows.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly instructs operators to use a local Claude credential store and environment token paths for Figma access, but it does not include strong handling constraints, least-privilege guidance, or warnings against exposing, copying, or logging those secrets. In an agent skill context, normalizing direct credential consumption can lead to unsafe automation patterns where sensitive tokens are read from disk or shell state without clear user consent boundaries.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script writes the full authorization URL and lock contents to disk and returns them in JSON output, which may expose OAuth state values, session identifiers, and potentially other sensitive query parameters to logs, terminals, or other local processes. Even if the state is not a bearer token, leaking auth-flow artifacts can aid replay, session confusion, or correlation of active authentication attempts.

Credential Access

High

Category: Privilege Escalation
Content: ## Prerequisites Figma MCP token is stored in `~/.claude/.credentials.json` under `mcpOAuth.figma*`. `fetch_figma_mcp.py` now auto-refreshes near-expiry tokens when running with `--allow-claude-credentials`.
Confidence: 96% confidence
Finding: credentials.json

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.