扫描报告
15 /100
figma-desktop
Figma 桌面 MCP Skill - 通过 Figma 桌面应用本地 MCP 服务访问完整功能
Figma Desktop MCP Skill is a documentation-only skill providing instructions for connecting to Figma's local MCP server via mcporter - no executable code is present and no malicious behavior detected.
可以安装
The skill is safe for use. Consider pinning the mcporter version in installation instructions to improve supply chain security.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package installation 供应链 | SKILL.md:47 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file operations found in SKILL.md |
| 网络访问 | READ | READ | ✓ 一致 | Only localhost:3845 (Figma MCP) and documentation URLs referenced |
| 命令执行 | NONE | NONE | — | No shell commands executed by skill - only user-invoked CLI commands documented |
5 项发现
中危 外部 URL 外部 URL
http://127.0.0.1:3845/mcp SKILL.md:8 中危 外部 URL 外部 URL
https://www.figma.com/downloads/ SKILL.md:33 中危 外部 URL 外部 URL
https://developers.figma.com/docs/figma-mcp-server/ SKILL.md:270 中危 外部 URL 外部 URL
https://www.figma.com/blog/introducing-figma-mcp-server/ SKILL.md:271 中危 外部 URL 外部 URL
https://developers.figma.com/code-connect/ SKILL.md:272 目录结构
1 文件 · 6.9 KB · 272 行 Markdown 1f · 272L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
mcporter | unpinned | npm | 否 | Version not pinned in documentation |
安全亮点
✓ Skill is purely documentation - no hidden executable code
✓ Network access is strictly localhost (127.0.0.1:3845) for Figma MCP
✓ No credential harvesting or environment variable access
✓ No obfuscation or base64-encoded payloads
✓ No sensitive file system access (.ssh, .aws, .env, etc.)
✓ No data exfiltration or external IP communication
✓ No reverse shell or command execution capabilities
✓ Legitimate Figma integration documented with clear use cases