← All tools

figma-developer-mcp

MCP

Give your coding agent access to your Figma data. Implement designs in any framework in one-shot.

v0.6.4 MIT Tested 8 Feb 2026
5.5

Dimension scores

Security 4.0
Reliability 6.0
Agent usability 3.0
Compatibility 8.0
Code health 8.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK ~ Uses StreamableHTTP transport which requires adapter code for OpenAI SDK, Complex nested schemas may need flattening for OpenAI function calling format, Progress notifications not directly compatible with OpenAI SDK patterns
LangChain HTTP transport requires custom LangChain MCP adapter, Stateless design compatible with LangChain execution model

Security findings

HIGH

Figma API key and OAuth token exposed in command-line arguments

src/config.ts lines 36-44: CLI arguments '--figma-api-key' and '--figma-oauth-token' accept credentials directly. These are visible in process listings (ps, top) and shell history, exposing secrets to local attackers or anyone with system access.

HIGH

Credentials logged in server configuration output

src/config.ts lines 147-172: The config logging function uses maskApiKey() but only for display purposes. If verbose logging is enabled or errors occur, full credentials could leak into logs. The masked display still confirms key presence.

HIGH

No input validation on Figma file keys or node IDs

src/mcp/index.ts and tool definitions: File keys and node IDs from user input are passed directly to Figma API without validation. While this doesn't directly expose the server, malformed inputs could cause unexpected API behavior or trigger error messages that leak information.

MEDIUM

Path traversal risk in image download functionality

MEDIUM

Verbose error handling may leak system information

MEDIUM

Express JSON parsing without size limits

MEDIUM

Session management lacks expiration or cleanup

Reliability

Success rate

72%

Calls made

100

Avg latency

2500ms

P95 latency

8000ms

Failure modes

  • Network failures from Figma API calls lack comprehensive retry logic
  • Missing authentication (FIGMA_API_KEY) causes startup failure with unclear error
  • Malformed Figma file keys or invalid URLs not validated before API calls
  • HTTP server endpoints lack comprehensive error boundaries - transport errors may crash
  • Session management in StreamableHTTP lacks cleanup on connection errors
  • File system operations (downloadFigmaImage, writeLogs) don't handle permission errors
  • Progress token notifications don't handle transport closure during long operations
  • YAML/JSON parsing errors from malformed tool responses not caught at boundaries
  • Type assertions throughout codebase (e.g., isFrame, isLayout) may fail on unexpected Figma API changes
  • No timeout protection on fetch calls to Figma API or image downloads
  • Missing validation on user input for fileKey, nodeIds before external API calls
  • Environment variable parsing (PORT, HOST) lacks validation for invalid values

Code health

License

MIT

Has tests

Yes

Has CI

No

Dependencies

42

Active, well-maintained MCP server with TypeScript, tests, and comprehensive documentation. Strong points: multiple language READMEs, detailed CHANGELOG, CONTRIBUTING guide, ROADMAP, and proper semantic versioning. Uses modern tooling (tsup, eslint, prettier, lefthook). Has integration tests but no CI configuration detected. Some dependencies are slightly outdated but no critical vulnerabilities. Minor gaps: no CI/CD automation and test coverage not reported. Overall excellent code health for a young project (v0.6.4).

View source on GitHub →