Figma figma-use — agentic threat model
The Figma figma-use agent poses a moderate-to-high risk due to its ability to execute direct write actions on live Figma files, components, and design tokens via the MCP server, making it vulnerable to prompt injection that could corrupt or exfiltrate proprietary design assets.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — assumes standard LLM capabilities driving the MCP tool. Threats include prompt injection leading to unauthorized canvas modifications or data exfiltration.
Not certain from the listing — interacts with Figma canvas data, variables, and tokens. Threats include poisoning of design tokens or exfiltration of sensitive proprietary UI designs.
Orchestrates the Figma MCP server using the use_figma tool. Handles API sequencing and session state (currentPage resets). Threats include tool misuse, injection of malicious API payloads, and bypass of sequencing logic.
Not certain from the listing — runs via MCP (Model Context Protocol) which typically runs locally or via a hosted environment. Threats include insecure local MCP server configurations or exposed API tokens.
Not certain from the listing — no mention of built-in logging, guardrails, or evaluation frameworks for the generated Figma API calls.
Not certain from the listing — relies on the underlying Figma API/MCP authentication (likely OAuth/personal access tokens) but lacks explicit policy enforcement or audit logging within the skill itself.
Not certain from the listing — designed as an Agent Skill which could be integrated into larger multi-agent workflows, posing risks of cascading write actions if triggered by a compromised upstream agent.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).