Taming AI: How I Integrated Figma MCP in React Native under a Zero Trust Architecture
The convergence of Artificial Intelligence and mobile development is changing the way we write code. In my experience over the last decade building web and mobile applications, I have rarely seen such a radical productivity jump as the one offered by AI agents (Cursor, Claude Code, Windsurf, Antigravity, etc.) when we give them real context.
Being able to tell your favorite AI Agent: "Look at this design in Figma and generate the component in React Native with TypeScript" is pure magic. The standard that makes this possible is the Model Context Protocol (MCP).
But in high-security corporate environments, magic has a limit: cyber risk.
Recently, cybersecurity teams have started blocking open-source Figma MCP servers (like the popular GLips/Figma-Context-MCP). The reason? Critical vulnerabilities like the CVE-2025-53967, which allowed Remote Code Execution (RCE) due to the insecure use of subshells in Node.js.
As engineers, our response cannot be to avoid security using "Shadow IT", especially because this is basically just an npm package running on your local machine. But we also should not accept losing the development speed we get from these incredible tools. The solution is to design security from the beginning.
In this article, I explain how I designed a Proof of Concept (POC) to isolate an unsafe Figma MCP server inside a Distroless container, and basically how I learned what Distroless is, mitigating the RCE by design and allowing the generation of highly typed React Native code without triggering InfoSec alarms.
1. The Attack Vector: Why InfoSec hates (with good reason) your local Node server
The problem with community MCP servers is that they assume an unrestricted execution environment. If the Figma tool fails when making a request to the API and decides to use a fallback command with child_process.exec, a malicious actor (or a prompt injection attack in the LLM) could inject pipes | or && into the console.
If you run the MCP server directly with your local Node.js, the attacker just gained full access to your workstation. And if you are connected to your company network, this can be extremely risky for everyone inside the organization.
2. The Solution: Minimalist Cryptographic Isolation with Distroless
To demonstrate that we can use these tools safely, I built a minimal-privilege architecture. Instead of compiling to WebAssembly (which is ideal but operationally complex for a quick POC), I used Docker Distroless images.
Here is where I had to research online and ask Gemini a bit about what Distroless is and what security implications it has. Google Distroless images contain the application and its runtime dependencies, but they do not include a shell (/bin/sh or /bin/bash). Without a shell, command injection becomes mathematically impossible. The attack fails before it even starts.
The Hardened Dockerfile
We use a multi-stage build to install the tools and then move them into a sterile and non-privileged environment:
# Stage 1: Builder (Community tool installation)
FROM node:20-bullseye-slim AS builder
WORKDIR /app
RUN npm init -y && npm install figma-context-mcp
# Stage 2: Runner (Distroless - No Shell, No RCE Risk)
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/node_modules /app/node_modules
# Force execution as a non-privileged user
USER nonroot
# The Entrypoint directly invokes the binary, forcing the use of stdio
ENTRYPOINT ["/nodejs/bin/node", "/app/node_modules/figma-context-mcp/dist/index.js"]
Zero Trust Orchestration in the IDE
To connect this container with an agentic IDE like the ones mentioned above, we do not expose HTTP ports or mount writable volumes. We restrict the container to read-only mode, remove its kernel capabilities, and communicate only through standard input/output streams (stdio).
MCP server configuration in the IDE:
{
"mcpServers": {
"figma-zero-trust": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only", // Prevent malicious writes
"--cap-drop=ALL", // Remove kernel privileges
"--security-opt=no-new-privileges:true",
"--env-file",
"/absolute/path/to/your/.env", // Inject ephemeral Figma token
"figma-mcp-distroless:latest",
"--stdio" // Force JSON-RPC protocol, no web servers
]
}
}
}
3. Taming the Output: From Raw Data to React Native
With security guaranteed, we face the next problem: general MCP servers output massive node trees (JSON/YAML) instead of code. The AI agent often gets overwhelmed and only summarizes the data.
To close the mobile development loop, you need to create strict System Prompting rules using a .cursorrules, .windsurf/rules, or the rules system of your favorite AI Agent in the project root. This forces the AI to behave like a Senior React Native Developer, not like a data extractor:
# Figma MCP Interaction Rules
1. DO NOT create `.yaml`, `.json`, or `.md` files with raw Figma data dumps.
2. Your goal is to translate visual metadata (layout, styles) directly into functional **React Native** components using **TypeScript**.
3. Primitive mapping:
- Translate Figma groups/frames to `<View>`.
- Translate text layers to `<Text>`.
- Translate Auto Layout to `Flexbox` rules inside a `StyleSheet`.
4. Strict typing: Generate TypeScript interfaces for props based on detected variants.
The Verdict
Information security and development agility do not have to be natural enemies.
By applying system engineering principles (containers without a shell, read-only volumes, and limited networks), we transformed an npm package blocked for critical vulnerabilities into a highly productive and cryptographically secure bridge between our design system and our mobile codebase.
AI will not replace software engineering; it will require engineers to build the secure infrastructure where it can operate. And this POC proves that it can be done today.