ClawHub

Figma

v1.0.3

Interact with Figma files to read structure, export layers as images, and retrieve comments using the Figma REST API with authentication.

0· 1.3k·3 current·3 all-time
by@kai-tw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual functionality. The only required environment variable is FIGMA_TOKEN, which is exactly what a Figma API client needs. The scripts expose read-only endpoints (file, comments, team/project listing) and image export — all aligned with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the included CLI script and only references the FIGMA_TOKEN. The script makes HTTP requests to api.figma.com and downloads image URLs returned by the Figma images endpoint. The skill writes exported image files to the current working directory (documented in README). There are no instructions to read unrelated local files or send data to unexpected external endpoints.
Install Mechanism
No install specification is provided (instruction-only skill with included Python script). Nothing is downloaded or installed automatically; no external archives or third-party packages are pulled by an installer.
Credentials
Only FIGMA_TOKEN is required. That single credential is proportional to a Figma API client. The README appropriately flags FIGMA_TOKEN as sensitive. The code only reads that env var and does not request other credentials.
Persistence & Privilege
always is false and the skill does not request persistence or modify other skills or system settings. It can be invoked autonomously per platform defaults, which is expected for a tool-like skill.
Assessment
This skill appears to do what it claims, but take normal precautions: only install from trusted sources; supply a Figma PAT with the minimum required scope and rotate it if you stop using the skill; run exports in a safe/isolated working directory (the tool writes files to CWD); be aware the script will download image URLs returned by the Figma API (so inspect logs or filenames if you worry about unexpected hosts); and review the included script before use if you want to verify there are no changes beyond read-only API calls.

Like a lobster shell, security has layers — review code before you run it.

apivk97f2gczyh7hb25vc6pfx3q095814y7rdesignvk97f2gczyh7hb25vc6pfx3q095814y7rfigmavk97f2gczyh7hb25vc6pfx3q095814y7rlatestvk97fpwbmk9teqkars1ahx425ks815xpn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📐 Clawdis
EnvFIGMA_TOKEN

Comments