Get all local variables and variable collections from the Figma document. Returns variables with their types (COLOR, FLOAT, STRING, BOOLEAN), modes, and values. WARNING: Can return 25k+ tokens and may be truncated. Use figma_search_variables instead when looking for specific variables.
AI agents call figma_get_local_variables to retrieve information from Figma MCP Bridge without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
The tool retrieves and returns data about variables in a Figma document. While it may return large amounts of data (25k+ tokens), this is purely informational with no capability to modify, delete, or execute operations. It poses minimal risk as a standalone read operation, though volume of data could be a concern in some contexts. Classified as Read with low severity.
From the tool's definition Tool name contains 'get', and description states it 'Get[s] all local variables and variable collections from the Figma document. Returns variables with their types...modes, and values.' This is a query/retrieval operation with no modification or side effects.
Documented attack patterns abuse exactly the kind of access figma_get_local_variables gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Figma MCP Bridge, and nothing reaches the server without passing your rules. This is the rule we recommend for figma_get_local_variables:
{
"version": "1",
"default": "deny",
"tools": {
"figma_get_local_variables": {}
}
}figma_get_local_variables is read-only, so it stays allowed — but everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Get all local variables and variable collections from the Figma document. Returns variables with their types (COLOR, FLOAT, STRING, BOOLEAN), modes, and values. WARNING: Can return 25k+ tokens and may be truncated. Use figma_search_variables instead when looking for specific variables. It is categorised as a Read tool in the Figma MCP Bridge MCP Server, which means it retrieves data without modifying state.
Register the Figma MCP Bridge MCP server in PolicyLayer and add a rule for figma_get_local_variables: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Figma MCP Bridge. Nothing to install.
figma_get_local_variables is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the figma_get_local_variables rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for figma_get_local_variables. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
figma_get_local_variables is provided by the Figma MCP Bridge MCP server (magic-spells/figma-mcp-bridge). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Figma MCP Bridge, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
88 Figma MCP Bridge tools catalogued and risk-classified — across an index of 43,000+ MCP servers.