figma-design-analyzer

PassAudited by ClawScan on May 10, 2026.

Overview

This looks like a normal Figma analysis tool, but it needs your Figma token and installs Node packages, so use it only with files you intend to analyze.

Before installing, keep FIGMA_ACCESS_TOKEN private, review npm dependencies, and run the tool from a trusted workspace. Provide only Figma file IDs and local implementation files you actually want analyzed, and avoid committing generated reports, screenshots, .env files, or shell-profile tokens to public repositories.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill can retrieve design metadata, design-system details, comments counts, versions, and screenshots for Figma files accessible to your token.

Why it was flagged

The skill needs a Figma personal access token to call the Figma API. This is expected for the stated integration, but the token can access Figma files available to that account.

Skill content

compatibility: 需要Node.js 20+，通过FIGMA_ACCESS_TOKEN环境变量提供Figma个人访问令牌。

Recommendation

Use the least-privileged token available, keep it out of shared logs and repositories, and revoke it when no longer needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Running npm install will fetch external package code, and future dependency resolution may differ from what was originally tested.

Why it was flagged

The skill relies on third-party npm packages with caret version ranges. This is normal for a Node-based CLI, but versions are not fully pinned in the provided artifacts.

Skill content

"dependencies": { "axios": "^1.6.0", "commander": "^11.1.0", "chalk": "^4.1.2", "dotenv": "^16.3.1", "jsdom": "^22.1.0", "sharp": "^0.33.0" }

Recommendation

Install in a trusted or isolated workspace, review generated lockfiles, and consider pinning dependencies before production use.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If pointed at the wrong file, part of a local file could appear in the generated report or agent context.

Why it was flagged

The compare feature reads a user-specified local implementation file and, for non-CSS files, includes a preview of its contents in the analysis output.

Skill content

const content = fs.readFileSync(filePath, 'utf8'); ... content_preview: content.substring(0, 500) + '...'

Recommendation

Only compare intended project files and avoid using this command on files that may contain secrets or private data.