Figma
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with a real token, the agent can retrieve Figma account, team/project, file, and comment data that the token can access.
The script uses a Figma personal access token from the environment to authenticate API requests, which is expected for the skill but grants access to Figma resources available to that token.
token = os.getenv("FIGMA_TOKEN") ... req.add_header("X-Figma-Token", self.token)Use a token with the least access needed, keep it private, revoke it when no longer needed, and only ask the agent to access Figma files or teams you intend to share with it.
Export requests can create local image/PDF files and make network downloads as part of the expected Figma export workflow.
During export, the script downloads image URLs returned by the Figma API and writes the resulting files to the local current working directory.
with urllib.request.urlopen(image_url) as response:
with open(filename, "wb") as f:Run exports from a directory where saved files are acceptable, review generated files before using or sharing them, and clean them up when no longer needed.