AgentReadyHomeAgent Listing

← Figma MCP Server

Figma MCP Server — agentic threat model

6.7AIVSS 6.7 · Medium

The Figma MCP Server presents a moderate security risk primarily centered on data confidentiality, as it exposes sensitive organizational design assets and variables to LLMs and downstream code-generation agents.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.91Factor sum 2.6/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.70
Dynamic Identity
0.20
Multi-Agent Interactions
0.60
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The Figma MCP server acts as an integration layer and does not specify a native foundation model, meaning model-level threats like adversarial reprogramming or membership inference depend entirely on the client-side LLM hosting the MCP client.

L2 · Data Operations✓ mapped

Exposes Figma design files, node structures, variables, and component data. The primary threat is data exfiltration or unauthorized access to sensitive intellectual property (shared or organizational design data) flowing through the model.

L3 · Agent Frameworks✓ mapped

Implements the Model Context Protocol (MCP) to expose tools for reading Figma files and nodes. Vulnerabilities could include insecure tool integration or prompt injection leading to unauthorized file reads beyond the intended scope.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment (local MCP host vs. cloud-hosted) and sandboxing of the MCP server are not specified, leaving potential risks of local privilege escalation or exposed local ports depending on the user's setup.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor what design data is being queried by the agent or to detect anomalous data extraction patterns.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on the user's existing Figma access permissions ('reads file content the user has access to'). However, there is a risk of privilege delegation where the agent accesses files the user has access to but did not intend to share with the LLM.

L7 · Agent Ecosystem✓ mapped

Designed to allow other agents to consume design data to generate code. This introduces multi-agent risks where a downstream code-generation agent could be compromised, leading to the leakage of the retrieved design context.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).