Figma
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Figma API helper that uses a Figma token to read/export Figma data and save exported images locally, with no hidden or destructive behavior evident.
Install this only if you are comfortable giving the agent a Figma personal access token for read/export tasks. Keep the token private, prefer limited access where possible, and be aware that exports save files into the current working directory.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with a real token, the agent can retrieve Figma account, team/project, file, and comment data that the token can access.
The script uses a Figma personal access token from the environment to authenticate API requests, which is expected for the skill but grants access to Figma resources available to that token.
token = os.getenv("FIGMA_TOKEN") ... req.add_header("X-Figma-Token", self.token)Use a token with the least access needed, keep it private, revoke it when no longer needed, and only ask the agent to access Figma files or teams you intend to share with it.
Export requests can create local image/PDF files and make network downloads as part of the expected Figma export workflow.
During export, the script downloads image URLs returned by the Figma API and writes the resulting files to the local current working directory.
with urllib.request.urlopen(image_url) as response:
with open(filename, "wb") as f:Run exports from a directory where saved files are acceptable, review generated files before using or sharing them, and clean them up when no longer needed.