ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sloth D2C Skills

v1.0.1

将Figma设计稿转换为前端组件代码(Design to Code)。通过MCP工具获取设计稿数据,分片处理并生成最终代码。当用户提到Figma转代码、设计稿转代码、D2C、design to code、生成页面时使用。

0· 209·0 current·0 all-time
by@cherokeeli

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cherokeeli/sloth-d2c-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Sloth D2C Skills" (cherokeeli/sloth-d2c-skills) from ClawHub.
Skill page: https://clawhub.ai/cherokeeli/sloth-d2c-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sloth-d2c-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install sloth-d2c-skills
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (Design-to-Code using an MCP #d2c_figma tool) align with the runtime instructions: call an MCP tool, process chunks, aggregate, and generate code. No unrelated credentials or binaries are requested by the skill itself.
!
Instruction Scope
The SKILL.md asks the main agent to call the #d2c_figma MCP Tool and to write final code into the project — reasonable. However, the included sloth-d2c-agent config declares read_file/search tools and enables background, agentic behavior while also stating 'absolute prohibitions' (do not read other files, do not edit project files). Those prohibitions are only instructions, not enforced restrictions. The agent tools as declared could read arbitrary files accessible to the agent if not programmatically constrained. There's also a mismatch: subagents are said to be used for processing but are forbidden from using MCP/Skills, while the main flow requires MCP.
Install Mechanism
The skill is instruction-only (no install spec) which is low-risk. SKILL.md includes troubleshooting commands that suggest installing an npm package (npm install -g sloth-d2c-mcp) if a CLI is missing — that references an external package of unknown provenance and could be risky if followed without vetting.
Credentials
The skill declares no required environment variables or credentials, which is coherent. But error handling references '未配置有效 Token' (403) without specifying which token or where it should be provided. Lack of explicit auth declarations makes it unclear what credentials the MCP Tool needs.
!
Persistence & Privilege
The bundled sloth-d2c-agent has enabled: true and enabledAutoRun: true and is_background: true. That implies an agent the platform may auto-run in the background with file-reading tools, increasing persistence and potential attack surface even though the skill's top-level flags (always: false) are normal. This persistent/autonomous subagent combined with broad read tools is a notable risk.
What to consider before installing
This skill appears to do what it says (convert Figma design data into code) but has worrisome operational details you should review before installing: 1) The package includes a background subagent (enabledAutoRun) with file-reading tools — confirm how/when that agent runs and restrict its file access (prefer limiting to the .sloth path). 2) The subagent's 'do not read other files' rule is an instruction, not an enforced sandbox; verify runtime enforcement or disable the subagent auto-run. 3) The SKILL.md references an MCP Token/403 errors but doesn't declare where to supply credentials — ask the maintainer which token is needed and why. 4) Troubleshooting suggests installing an npm package (sloth-d2c-mcp) of unknown origin — do not run that install without vetting the package source. If you need to use this skill, prefer running it in an isolated sandbox, inspect/disable the background agent, and verify the MCP tool and any npm package provenance first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xqe7eg69r6n6drrgnb3ajs832v2k
209downloads
0stars
2versions
Updated 59m ago
v1.0.1
MIT-0
@cherokeeli
latest
Download

Figma 设计稿转代码(D2C)

仅支持在主Agent中使用该Skill,不要在命令行执行MCP Tool。

前置校验

必需参数

参数说明
fileKeyFigma 文件 Key
nodeIdFigma 节点 ID

缺少以上参数时,提示用户提供。

可选参数

depth(节点深度)、local(缓存)、update(更新模式)、silent(静默模式)、framework(框架)

环境检查

确认 #d2c_figma MCP Tool 可用。不可用则跳转错误排除

执行流程

Task Progress:
- [ ] Step 1: 执行 MCP
- [ ] Step 2: 并行处理代码片段与聚合
- [ ] Step 3: 生成最终代码并写入文件

Step 1:执行 MCP

使用Skills调用 #d2c_figma MCP Tool,使用本地数据缓存,非静默模式,传入 fileKey、nodeId 等参数。

Step 2:并行处理代码片段与聚合

路径变量:将 nodeId 中的 : 替换为 _,得到 convertedNodeId。 启动多个 sloth-d2c-agent subagent,并行执行以下两类任务:

任务提示词路径
代码片段处理(多个).sloth/{fileKey}/{convertedNodeId}/chunks/{index}.md
聚合处理.sloth/{fileKey}/{convertedNodeId}/chunks/codeAggregation.md

全部 Subagent 完成后进入下一步。

Step 3:生成最终代码并写入文件

主Agent收集第2步执行完毕的结果,结合读取.sloth/{fileKey}/{convertedNodeId}/chunks/finalGenerate.md的内容作为提示词转换代码,写入项目文件中。

错误排除

错误类型处理方式
查不到 MCP Tool提示用户检查 MCP Tool 是否可用
端口错误执行 sloth server restart 后重试
文件不存在提示用户检查路径,停止执行
MCP Timeout提示用户增加超时配置:TME-Continue 的 connectionTimeout / CodeBuddy 的 timeout
403 错误未配置有效 Token,提示用户配置
404 错误设计稿未找到,提示用户核实 fileKey 和 nodeId
MCP Tool 未找到执行 sloth -v:有版本号则提示配置 MCP Server;无版本号则执行 npm install -g sloth-d2c-mcp 安装
引入node internal包报错检查用户node版本是否大于等于18

Comments

Loading comments...