ClawHub

Craw Figma

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Figma automation bridge, but it gives an AI/local connector broad power to edit, delete, and export Figma content without enough safeguards.

Install only if you are comfortable giving a local AI workflow real-time control over the active Figma file. Use it on copies or versioned files, avoid sensitive customer/proprietary designs unless needed, verify any connector code from the external repository before running it, and do not leave the localhost connector running when you are done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly describes exporting Figma content as base64 through the local connector and saving the resulting images to disk in /tmp for AI analysis, but it does not warn users that potentially sensitive design data may be persisted locally and made available to other tools. In the context of a bidirectional AI-to-Figma bridge, this increases the chance of unintentional data exposure, especially when designs contain proprietary UI, product plans, or customer information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises create/modify/delete operations that take effect in real time in Figma Desktop, but it lacks a clear caution section about destructive changes, scope of modification, or the need for user confirmation before writes. In a design tool context, silent or overly easy write access can cause immediate loss of work, document corruption, or unintended bulk edits.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The auto-setup instructions tell the agent to offer running a local connector process if it has shell access, but do not clearly warn the user that this launches a persistent local service on their machine. Even if bound to localhost, starting background services changes the host state and can broaden attack surface if users are not informed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plugin exposes a direct deleteNode command that removes arbitrary nodes by ID with no confirmation, authorization gate, or scope restriction. In this skill's context, commands are polled from a UI proxy and write operations occur in real time, so a compromised or mistaken upstream controller could silently destroy design content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When asBase64 is enabled, exported node contents are serialized and posted to the UI proxy without any explicit consent, disclosure, or policy check. Because this skill is designed for bidirectional integration via a local connector, that proxy is a trust boundary; sensitive designs, assets, or proprietary UI content could be exfiltrated from Figma to external components.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The UI forwards command results and exported PNG data to a local HTTP service on localhost:9199 with no visible disclosure, consent flow, or trust verification in this file. In the context of a bidirectional Figma integration that can read designs and export assets, this creates a real data-exfiltration path to any process bound to that port, potentially leaking document content, metadata, and exported images without clear user awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal