Figma Comments MCP — agentic threat model
The Figma Comments MCP agent introduces moderate risk by bridging LLMs to external Figma files, allowing reading and writing of comments. The primary threat vector is indirect prompt injection from untrusted comment threads being executed as instructions or triggering unauthorized replies.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on the host client's foundation model. The primary L1 threat is indirect prompt injection, where malicious instructions embedded in Figma comments are parsed by the model and executed as tool calls.
The agent acts as a data pipeline reading Figma comments via the REST API. Threats include data exfiltration of sensitive design discussions and the ingestion of poisoned comment data into the agent's context window.
Implements Model Context Protocol (MCP) tools for reading, querying, and replying. Vulnerable to tool misuse where an injected prompt forces the agent to post spam, malicious links, or unauthorized replies back to the Figma thread.
Requires hosting of the MCP server and storage of the FIGMA_TOKEN. Threats include token exposure in environment variables and lack of sandboxing for the local MCP process.
Not certain from the listing — no built-in logging, auditing, or guardrails are mentioned. There is a high risk of blind spots regarding what comments are fetched and what replies are automatically generated.
Provides basic security scoping by supporting per-file token restrictions. However, it lacks robust authorization policies to prevent a user from accessing files they shouldn't if the token is over-privileged.
As an MCP tool, it is designed to be orchestrated by parent AI assistants. This introduces multi-agent/ecosystem risks where a compromised orchestrator can abuse this tool to scrape or deface Figma files.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).