ClawHub
Back to skill

Security audit

Figma

Security checks across malware telemetry and agentic risk

Overview

This Figma skill reads and exports Figma design data as advertised, with ordinary cautions around tokens, local output files, and dependency hygiene.

Install only in a workspace where exported Figma assets and reports are acceptable to write. Store the Figma token as a secret, keep .env files out of source control, rotate the token if exposed, and prefer a dedicated output directory to avoid overwriting local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The reference introduces write-capable Plugin API functionality even though the skill is described as read-only analysis and export. This mismatch can mislead an agent or integrator into generating or invoking mutating actions against Figma files, expanding the skill's effective privileges beyond its stated safety boundary.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document mixes read-oriented REST guidance with code samples that create text, rectangles, components, and modify properties. In a skill intended for read-only analysis, these examples materially increase the chance that downstream tooling or an LLM agent will perform unauthorized writes, violating user expectations and potentially altering design assets.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code writes an HTML report to a local file via `open(output_path, 'w')`, which contradicts the skill's stated read-only behavior. While this is not inherently malicious and appears intended for normal reporting, it expands the skill's side effects and could overwrite files if an unsafe path is supplied by a caller.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
In JSON output mode, the CLI can write analysis results to a caller-specified file path, again violating the read-only claim. This introduces local filesystem modification capability and potential file overwrite risk, even though the apparent purpose is convenience rather than abuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata describes the capability as read-only analysis, but this function performs a local file write of downloaded content to an arbitrary path. That mismatch can surprise users, violate least-surprise expectations, and enable unintended overwrites or persistence on the host when the skill is assumed to be non-writing.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI can write analysis results to disk via --output even though the skill is presented as read-only analysis. In an agent environment, that discrepancy matters because users or orchestrators may trust the skill not to modify local state, creating a policy bypass or accidental file overwrite risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The authentication section tells users to place a Figma access token in an environment variable or append it to a .env file, but provides no warning about treating the token as a secret, avoiding commits, or restricting file permissions. This can lead to credential leakage through source control, shared workspaces, shell history, or improperly protected local files, enabling unauthorized access to Figma resources available to that token.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The authentication section tells users to set and send a personal access token but gives little emphasis to secure handling beyond basic setup. In skill ecosystems, insufficient warning around secret sensitivity can lead to tokens being hardcoded, logged, or exposed in prompts or client-side contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The image download helper writes remote content directly to a caller-specified local path without any guardrails or confirmation. In a tool/agent context, arbitrary path writes can overwrite local files, place unexpected artifacts on disk, or be abused if untrusted inputs control the destination path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Saving CLI output to an arbitrary path without warning creates a direct local file write primitive. Even though the content is just JSON results, the lack of confirmation and path restrictions can still lead to accidental overwrites or policy violations in environments expecting non-mutating analysis.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
pathlib
Confidence
84% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
pathlib
Confidence
84% confidence
Finding
aiohttp>=3.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
requests

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
aiohttp

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.