Figma Dev Mode MCP Server — agentic threat model
The Figma Dev Mode MCP Server acts as a read-only bridge exposing local design data and variables to AI agents, presenting a low-risk profile focused primarily on local data exposure and design intellectual property leakage.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The server itself does not bundle a foundation model, but the downstream AI coding tools consuming its data are vulnerable to prompt injection or adversarial design structures that could manipulate code generation.
Exposes local Figma design data, variables, and tokens. The primary risk is unauthorized data exfiltration of proprietary design assets or sensitive design tokens if the consuming agent is compromised or malicious.
Integrates as an MCP tool. Risks include insecure tool integration where a downstream agent misinterprets the read-only design data or is tricked into sending the design context to unauthorized external endpoints.
Runs locally against the Figma desktop app. The primary infrastructure threat is local port exposure or unauthorized local processes querying the MCP server to extract active Figma selection data without user consent.
Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to monitor which local processes or agents are querying the Figma Dev Mode server or what design data is being extracted.
Relies on Figma's local session and API permissions. Lacks explicit fine-grained authorization controls within the MCP server itself to restrict which design files or frames the local agent is permitted to read.
Designed to feed context directly into AI coding agents. A compromised downstream agent in the ecosystem could abuse this trust relationship to silently harvest design tokens and proprietary UI layouts.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).