Figma

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Figma integration, with normal risks from using MorphixAI, a linked Figma account, and optional comment changes.

Install only if you trust MorphixAI and the separate plugin it requires. Store the API key as a secret, use the least-privileged Figma account or workspace access available, and require explicit approval before posting, replying to, or deleting comments in shared Figma files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes write/delete actions on shared Figma comments but does not warn users that these operations modify collaborative workspace content. In an agent context, this increases the risk of accidental or unauthorized changes, audit confusion, and disruption of team communication if the tool is invoked without explicit user confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises broad access to Figma workspace data through an external proxy service (MorphixAI) but does not disclose privacy, retention, or data-handling implications. This can cause users to expose sensitive designs, comments, tokens, and metadata to a third party without informed consent or understanding of how that data is processed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal