AgentReadyHomeAgent Listing

← Figma Go

Figma Go — agentic threat model

6.6AIVSS 6.6 · Medium

Figma Go acts as a local bridge exposing active Figma document data to LLMs via MCP. Its primary risk is the silent exfiltration of proprietary design assets if an untrusted or compromised agent calls its local tool endpoints.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.8Factor sum 2.3/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The foundation model is not specified as Figma Go functions strictly as an MCP tool/bridge; however, any connected model is susceptible to prompt injection that could force unauthorized design data extraction.

L2 · Data Operations✓ mapped

Reads active Figma document contents locally. The primary threat is data exfiltration of proprietary design files and UI/UX intellectual property through the local plugin channel to an untrusted LLM context.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP). Insecure tool orchestration could allow malicious or compromised agent frameworks to silently call the bridge and harvest sensitive canvas data without explicit user consent.

L4 · Deployment & Infrastructure✓ mapped

Runs as a local plugin bridge rather than using cloud REST APIs. This eliminates cloud credential exposure but introduces local socket/IPC vulnerabilities if other local processes can access the bridge.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, transaction auditing, or guardrails to monitor what design data is being read or transmitted by the bridge.

L6 · Security & Compliance (cross-cutting)✓ mapped

Bypasses Figma REST API keys and network-scoped tokens by leveraging the local plugin channel. While this avoids API key leakage, it relies entirely on the local user's active Figma session permissions, lacking granular OAuth-like scopes.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool, making it highly composable within multi-agent workflows. A compromised downstream agent in the ecosystem could abuse this trust relationship to query and exfiltrate design data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).