Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Figma Mobile Cn
v1.0.0将 Figma 设计稿转为移动端 UI 代码(Android Jetpack Compose / XML,iOS SwiftUI / UIKit)。 在用户粘贴 Figma 链接并希望生成布局代码时使用。 通过 Figma REST API 提取设计树与 token,必要时追问澄清,再输出可落地的工程代码。
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Figma → mobile UI code) matches the actual footprint: Node scripts that call the Figma REST API and generate Android/iOS code. Required binary (node) and FIGMA_TOKEN credential are expected and proportional to the task.
Instruction Scope
SKILL.md tells the agent to run local scripts (scripts/src/figma-fetch.js, project-scan, feedback-analyze) and to ask users for clarifying questions. Critically, the instructions explicitly tell the agent to ask the user to paste their FIGMA_TOKEN into the conversation and then write it into a project-root .env file — this exposes a secret in chat and stores it on disk. The skill also recommends (and can run) a project scan that reads arbitrary project files; that is functional for resource reuse but broadens the agent's access to local data.
Install Mechanism
No external install downloads or obscure URLs; this is instruction-only with local JS scripts (ESM) that use built-in fetch in Node 18+. package.json exists only for type/module and scripts; no third-party npm dependencies are declared — low install risk.
Credentials
Only FIGMA_TOKEN is required which is appropriate for calling the Figma API. However, instructing users to paste the token into conversational text (and to persist it into .env) is disproportionate from a secrets-handling perspective: secrets should be supplied via secure environment/secret bindings, not posted into chat or stored in a project file unless the user explicitly accepts that persistence.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It does suggest writing persistent artifacts to the project (feedback-log.md and .env with the token) and optionally scanning local project paths. Persisting a personal access token in project files increases exposure risk (e.g., accidental commits); this is a user-visible behavior the user should opt into consciously.
What to consider before installing
This skill appears to do what it says (convert Figma via the Figma API), but be cautious about secret handling and local scans: do NOT paste your FIGMA_TOKEN into a public chat or message history. Prefer giving the skill the token via your agent/platform's secure secret mechanism or set FIGMA_TOKEN in your environment before invoking the skill. If you must use a token in-project, create a limited-scope personal access token, run the scripts locally in an isolated directory, and remove/revoke the token after use (delete the .env file and rotate the token). Only run the optional project-scan on directories you trust and inspect scripts/src/figma-fetch.js and scripts/src/load-env.js for network targets before running; if you want, paste those script sources here (or let me analyze them) so I can check for unexpected external endpoints or exfil patterns.scripts/src/figma-fetch.js:29
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9756vsgb46j9c0s88njsysw4s84fehp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvFIGMA_TOKEN
Primary envFIGMA_TOKEN