Figma
v2.1.0Professional Figma design analysis and asset export. Use for extracting design data, exporting assets in multiple formats, auditing accessibility compliance, analyzing design systems, and generating comprehensive design documentation. Read-only analysis of Figma files with powerful export and reporting capabilities.
⭐ 14· 6.9k·56 current·57 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Figma design analysis & export) matches the shipped code (API client, export manager, accessibility and style auditors). The capability set (exporting images, auditing accessibility, generating tokens/docs) is coherent with the included scripts and references.
Instruction Scope
SKILL.md explicitly instructs users to set FIGMA_ACCESS_TOKEN and shows CLI commands that call the included Python scripts. Those instructions require reading remote Figma files and writing exported assets/reports to disk. The SKILL.md also claims read-only access to Figma files (reasonable), but the runtime instructions access an environment variable (FIGMA_ACCESS_TOKEN) that is not declared in the skill metadata—this is a direct scope/visibility mismatch.
Install Mechanism
There is no install spec (instruction-only at registry level), and the package includes Python scripts and a requirements.txt. No external download URLs or extract/install actions are present in the registry metadata. The risk is the usual one for shipped scripts (they will run on the host) but there is no installer that pulls arbitrary remote code.
Credentials
The SKILL.md and code expect a Figma access token (FIGMA_ACCESS_TOKEN) to call the Figma REST API, but the registry lists no required environment variables or primary credential—this is an incoherence. Aside from the Figma token, the requirements.txt contains only common Python networking libs (requests, aiohttp). There are no declared unrelated credentials, but the absence of declared FIGMA_ACCESS_TOKEN is misleading and could cause unexpected prompts or runtime failures.
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-wide configuration changes. It will create output files (exports, reports) under local output directories as part of normal operation; this is consistent with its stated purpose but means running the scripts will write files to disk.
What to consider before installing
This skill includes runnable Python scripts that call the Figma API and write exported assets and reports to disk. Before installing or running it:
- Expect to provide a Figma access token (FIGMA_ACCESS_TOKEN). The registry metadata currently does not declare this—verify how the token is read by inspecting scripts/figma_client.py (look for environment variable or file-based token handling).
- Review figma_client.py to confirm the only network destination is the official Figma API (api.figma.com) and ensure no unexpected remote endpoints or obfuscated network calls exist.
- Run the scripts in an isolated environment (virtualenv, container) and with a scoped or temporary Figma token (principle of least privilege). Revoke the token after use if you are unsure.
- Be aware the tool will write exported images, token files, and reports to local directories (configurable output paths). Confirm output paths before running to avoid accidental overwrites.
- If you need higher assurance, ask the publisher for corrected registry metadata that explicitly declares the FIGMA_ACCESS_TOKEN requirement and provide a homepage or source repo to review.
I rate this suspicious (not clearly malicious) because the functionality is consistent with a Figma export/audit tool but the missing credential declaration and the presence of runnable networked scripts are an incoherence you should resolve before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97dd3nmpq9dp46vsmcwbxvhps7zwrtv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.