Zeplin to Prompt
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—export Zeplin designs locally—but it requires a Zeplin token, stores it on disk, installs npm dependencies, and runs local Node/zip commands.
Before installing, make sure you are comfortable giving the skill a Zeplin token and letting it save that token in ~/.zeplin-skill-config.json. Use the least-privileged token available, run dependency installation in a trusted workspace, and remember that exported zips may contain proprietary design data and assets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A saved Zeplin token could allow future exports of designs the token can access, and anyone with access to the local config file may be able to reuse it.
The skill asks for a Zeplin credential and stores it persistently for later authenticated exports. This is disclosed and purpose-aligned, but it is sensitive access.
Tokens are stored in `~/.zeplin-skill-config.json` as a `projectId -> token` mapping ... Please provide a Zeplin Personal Access Token
Use a token with the minimum access needed, avoid sharing broad account tokens, and delete or rotate the token when finished.
The skill will run local scripts and create files/directories while exporting Zeplin data.
The skill instructs the agent to execute bundled Node code locally. This is central to the export function, but it is still local code execution.
node "${CLAUDE_SKILL_DIR}/export_screen.mjs" ... --no-open --quietInstall and run it only in a trusted workspace; review local commands if you are using sensitive projects.
Installing dependencies may pull code from the npm ecosystem into the local environment.
The skill depends on npm-installed packages even though the registry section lists no install spec. A package-lock is present, so this is a normal but noteworthy dependency step.
Install dependencies before the first run: ```bash npm install ```
Prefer installing from the included lockfile, for example with npm ci, and run in a trusted environment.