Figma
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After approval, the agent could make visible changes in Figma or create webhooks tied to Figma file events.
These are account-mutating or external-facing Figma actions. The same artifact also instructs the agent to preview and confirm writes, so the capability is disclosed and bounded by user approval.
- Post comments to files or branches - Create webhooks for file events - Attach development resources to nodes
Confirm each write or webhook action carefully, and review the target file, branch, node, destination, and expected effect before approving.
Granting access lets the integration act within the permissions approved in Figma and ClawLink.
The skill uses delegated OAuth/account access and a persistent local device credential. This is expected for the Figma integration and is disclosed, but it is still sensitive authority.
ClawLink's hosted page runs the Figma OAuth flow ... The resulting device credential is stored locally in OpenClaw's plugin config and is only sent to `claw-link.dev`.
Review the Figma OAuth scopes during connection, use the least-privileged account practical, and revoke the ClawLink/Figma connection when no longer needed.
The safety of actual Figma operations depends partly on the installed ClawLink plugin and live ClawLink tool catalog.
Runtime behavior depends on an external plugin and dynamic ClawLink tools that are not included in this one-file skill review. The install is user-directed and central to the stated purpose.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install only the named verified plugin, check the ClawLink verification/source links, and avoid similarly named packages.
Figma requests and authorization handling depend on ClawLink, so sensitive design data or account actions may pass through that integration path.
The skill routes Figma integration setup and tool access through the third-party ClawLink gateway. This is disclosed and purpose-aligned, but users should understand the data and credential boundary.
Powered by [ClawLink](https://claw-link.dev), an integration hub ... that handles hosted connection flows and credentials
Use this only if you trust ClawLink for the relevant Figma workspace data, and review ClawLink's documentation, verification page, and connected-account controls.