74
/ 100
4 days ago
glama

Figma Console MCP

Model Context Protocol server that bridges design and development, giving AI assistants complete access to Figma for extraction, creation, debugging, and bidirectional token sync.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
⚠️
Known vulnerabilities in dependencies: 3 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 1 credential: FIGMA_ACCESS_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies3 high5 medium8 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

highws@8.19.0GHSA-96hv-2xvq-fx4p

ws: Memory exhaustion DoS from tiny fragments and data chunks

highvite@6.0.0GHSA-fx2h-pf6j-xcff

vite: `server.fs.deny` bypass on Windows alternate paths

highvite@6.0.0GHSA-p9ff-h696-f583

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

mediumvite@6.0.0GHSA-356w-63v5-8wf4

Vite has an `server.fs.deny` bypass with an invalid `request-target`

mediumvite@6.0.0GHSA-4w7w-66w2-5vf9

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configAPP_NAME
configENABLE_MCP_APPSclaude mcp add figma-console -s user -e FIGMA_ACCESS_TOKEN=figd_YOUR_TOKEN_HERE -e =true -- npx -y figma-console-mcp@latest
🔐 secretFIGMA_ACCESS_TOKENclaude mcp add figma-console -s user -e =figd_YOUR_TOKEN_HERE -e ENABLE_MCP_APPS=true -- npx -y figma-console-mcp@latest
configFIGMA_CONSOLE_CONFIG
configFIGMA_MCP_MODE
configFIGMA_WS_HOSTOverride the WebSocket server bind address (default: localhost). Set to 0.0.0.0 when running inside Docker so the host machine can reach the MCP server.
configFIGMA_WS_PORTOverride the preferred WebSocket port (default: 9223). The server will fall back through a 10-port range starting from this value if the preferred port is occupied.
configLOG_LEVEL
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 9 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/dexmachina-design-figma-console-mcp-dh9hs8)](https://m8ven.ai/mcp/dexmachina-design-figma-console-mcp-dh9hs8)
commit: f139a1a25b9140f54c208dfe6723b22ba3c20721
code hash: e60a14908fa024eca9eddea1610614f186b0f43811cd23b751561b828665e577
verified: 7/9/2026, 10:08:41 AM
view raw JSON →