AgentReadyHomeAgent Listing

← Figma Comments MCP

Figma Comments MCP — agentic threat model

6.4AIVSS 6.4 · Medium

The Figma Comments MCP agent introduces moderate risk by bridging LLMs to external Figma files, allowing reading and writing of comments. The primary threat vector is indirect prompt injection from untrusted comment threads being executed as instructions or triggering unauthorized replies.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 1.2Factor sum 3.1/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.10
Contextual Awareness
0.60
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on the host client's foundation model. The primary L1 threat is indirect prompt injection, where malicious instructions embedded in Figma comments are parsed by the model and executed as tool calls.

L2 · Data Operations✓ mapped

The agent acts as a data pipeline reading Figma comments via the REST API. Threats include data exfiltration of sensitive design discussions and the ingestion of poisoned comment data into the agent's context window.

L3 · Agent Frameworks✓ mapped

Implements Model Context Protocol (MCP) tools for reading, querying, and replying. Vulnerable to tool misuse where an injected prompt forces the agent to post spam, malicious links, or unauthorized replies back to the Figma thread.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting of the MCP server and storage of the FIGMA_TOKEN. Threats include token exposure in environment variables and lack of sandboxing for the local MCP process.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no built-in logging, auditing, or guardrails are mentioned. There is a high risk of blind spots regarding what comments are fetched and what replies are automatically generated.

L6 · Security & Compliance (cross-cutting)✓ mapped

Provides basic security scoping by supporting per-file token restrictions. However, it lacks robust authorization policies to prevent a user from accessing files they shouldn't if the token is over-privileged.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, it is designed to be orchestrated by parent AI assistants. This introduces multi-agent/ecosystem risks where a compromised orchestrator can abuse this tool to scrape or deface Figma files.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).