Figma Sync
v1.0.0Read Figma files, extract design tokens, generate React Native Expo TS or Web React + Tailwind code, write back to Figma, and diff local models against Figma for minimal patches. Triggers: "pull figma", "sync figma", "figma to code", "push to figma", "diff figma", "extract design tokens", "generate from figma", "preview figma changes"
⭐ 0· 1.4k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md align with the stated purpose (reading Figma, extracting tokens, generating code, producing plugin-compatible patch specs). However the registry metadata claims no required env vars or binaries while the runtime clearly needs a FIGMA_TOKEN and Python + requests; that mismatch is incoherent and should be fixed by the author. Network access to api.figma.com is necessary and expected for the stated purpose.
Instruction Scope
SKILL.md and the scripts confine actions to Figma API calls, local caching (.figma-cache/), and writing output files (out/, pluginSpec.json, patchSpec.json, etc.). The scripts do not reference unrelated system paths, other credentials, or external endpoints beyond api.figma.com. They also correctly note that node mutations require a companion Figma plugin.
Install Mechanism
There is no install spec, but the skill ships multiple Python scripts that import 'requests' and expect python3. The registry declared no required binaries. That is inconsistent: the skill will likely fail unless the runtime has Python 3 and the 'requests' package available. Lack of a packaged/install step or dependency declaration increases friction and risk (user may run unvetted scripts).
Credentials
The runtime requires a Figma token (FIGMA_TOKEN) — used by get_token() and api_get() — which is appropriate for the purpose. However the skill metadata did not declare any required env vars or a primary credential. The omission is an information gap: users won't be warned that a secret token is needed nor that it will be used to call Figma. The code does not request unrelated credentials.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system-wide settings. It writes cache and output files in the working directory (expected). Autonomous invocation (model invocation enabled) is the platform default and not by itself a red flag here.
What to consider before installing
This skill's code looks coherent for syncing Figma ↔ code, but there are important mismatches you should address before use: 1) The scripts require you to set FIGMA_TOKEN (a personal access token) but the skill metadata does not declare this — assume you must provide that secret. 2) The package has no install/dependency spec: it requires python3 and the 'requests' library; run it in a controlled environment (virtualenv or container) and inspect the scripts yourself. 3) The tool writes caches and output files (.figma-cache/, ./out/) and generates a pluginSpec.json intended for a companion Figma plugin — node changes are dry-run by default; actual mutations require loading the spec into a Figma plugin or using the plugin bridge. Recommended actions: verify the author/source (homepage missing), ask the publisher to update metadata to list FIGMA_TOKEN and runtime deps, run the scripts locally in an isolated environment, inspect pluginSpec/patchSpec before using --execute, and use a least-privilege Figma token. If you cannot verify the source, avoid supplying long-lived tokens or run the skill only against non-sensitive test files.Like a lobster shell, security has layers — review code before you run it.
latestvk978rzktjkx6zdc5cxcjw486kx80v922
License
MIT-0
Free to use, modify, and redistribute. No attribution required.