Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Figma Mobile
v1.0.0将 Figma 设计稿转为移动端 UI 代码(Android Jetpack Compose / XML,iOS SwiftUI / UIKit)。 在用户粘贴 Figma 链接并希望生成布局代码时使用。 通过 Figma REST API 提取设计树与 token,必要时追问澄清,再输出可落地的工程代码。
⭐ 0· 71·0 current·0 all-time
by@clawkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, required binary (node), and the single required env var (FIGMA_TOKEN) align with a tool that calls the Figma REST API and generates mobile UI code. Included scripts (figma-fetch, project-scan, feedback-analyze) are coherent with the stated functionality.
Instruction Scope
SKILL.md instructs interactive fetch/analysis and local file generation (expected), but also tells the agent to ask the user to paste the Personal Access Token into the conversation and then persist it into a project .env file. Asking users to paste secrets in chat and capturing them in logs or files is outside the necessary scope and raises data-leakage risk.
Install Mechanism
No external install/downloads are declared; the skill is instruction-first with bundled Node scripts and no third-party npm dependencies. That is proportionate and low-risk compared to remote downloads or unknown installers.
Credentials
Only FIGMA_TOKEN is requested (appropriate for calling Figma API). However, the skill's documented guidance to solicit the token in-chat and write it into a project .env is disproportionate and unsafe: the requested method of obtaining the secret (via conversation) is not justified by the functionality and may lead to accidental exposure.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The skill does write/modify project files (feedback-log.md, .env per guidance) and can run scans against a provided project path — these behaviors are consistent with generating code but mean the skill will create and modify files in the project root. This is expected but worth confirming with the user before running.
What to consider before installing
This skill appears to be what it says (Figma → mobile UI code) and only needs a Figma Personal Access Token. However: do not paste your FIGMA_TOKEN into the chat. The SKILL.md explicitly tells the agent to ask for the token in conversation and save it to .env — that practice risks exposing your token in chat logs. Prefer one of these safer options: 1) set FIGMA_TOKEN as an environment variable or in a secure agent/secret store (not in chat), 2) inspect the included scripts (scripts/src/load-env.js and scripts/src/figma-fetch.js) yourself before running to confirm they only call api.figma.com and do not exfiltrate data elsewhere, 3) run the scripts locally on a machine you control rather than giving the token to a remote agent, 4) create a scoped/temporary Figma token you can revoke after use. If you decide to proceed, avoid providing secrets via chat and rotate any token that may have been shared.scripts/src/figma-fetch.js:29
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978nj4k6ss106mjwyhn566kgs84f5d6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvFIGMA_TOKEN
Primary envFIGMA_TOKEN