Figma Agent

Security checks across malware telemetry and agentic risk

Overview

This is a real Figma integration, but its setup reuses credentials from other local apps and stores a Figma bearer token for future OpenClaw use, so it should be reviewed before installing.

Install only if you are comfortable letting OpenClaw reuse an existing Figma login from Claude Code, Codex, or Windsurf and store a bearer token in OpenClaw config. Prefer a dedicated or least-privileged Figma account, review the bootstrap script before running it, back up OpenClaw config, and manually save Figma version history before important edit operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The method name and docstring promise a safety property: a version-history checkpoint is saved before destructive writes, ensuring rollback if the write is wrong or malicious. In reality, the implementation performs a normal write and silently omits the safeguard, which can cause irreversible design changes and mislead callers into taking higher-risk actions under false assumptions.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code deliberately scans credential stores belonging to other tools (Claude Code, Codex, Windsurf) and extracts access tokens, refresh tokens, client IDs, and client secrets for reuse. Even without network exfiltration in this file, harvesting secrets from unrelated applications violates isolation expectations and enables unauthorized use of the user's Figma access in later code paths.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The bootstrap flow explicitly reads an OAuth token from `~/.claude/.credentials.json` and copies it into another config file, but it provides no warning, consent boundary, or guidance on least-privilege handling of those credentials. That creates a real secret-handling risk: users may run the setup without understanding that sensitive tokens are being accessed and duplicated, increasing exposure if the destination file is less protected or later shared.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents multiple write-capable Figma tools, including a general-purpose JavaScript execution surface in plugin context (`use_figma`), without an explicit warning that these operations can modify remote design files or execute arbitrary code in Figma's plugin environment. In an agent skill, that omission is security-relevant because it can normalize unsafe use and increase the chance an agent invokes destructive or high-impact actions without clear user consent or risk awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code explicitly falls back to a plain use_figma write while silently skipping the documented checkpoint safeguard, and it does so without any user-visible warning at execution time. In an agent context that can modify Figma files, this increases the chance of accidental or unauthorized destructive changes because operators may believe rollback protection exists when it does not.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This logic reads sensitive credential files and returns raw secrets with no user-facing notice, consent, or audit signal. Silent access to access tokens, refresh tokens, and client secrets is dangerous because users would reasonably not expect this skill to inspect other applications' auth stores, and those secrets could be reused or exposed elsewhere in the skill.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The function reads local OpenClaw configuration files without any visible disclosure or permission check. This is less severe than token harvesting because it targets the skill's own ecosystem rather than unrelated credential stores, but silent local config inspection can still expose sensitive paths, settings, or future secret-bearing fields.

Credential Access

High

Category: Privilege Escalation
Content: */ export function scanForFigmaToken() { // 1. Claude Code const claudePath = join(HOME, '.claude', '.credentials.json'); if (existsSync(claudePath)) { try { const creds = JSON.parse(readFileSync(claudePath, 'utf8'));
Confidence: 99% confidence
Finding: credentials.json

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal