Zeplin to Prompt
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: zeplin-to-prompt Version: 1.0.1 The skill is designed to export Zeplin design screens into a structured JSON/HTML format for use in AI prompts. It manages Zeplin Personal Access Tokens by storing them in a local configuration file (`~/.zeplin-skill-config.json`) with appropriate file permissions (0o600). The implementation uses Node.js and Bash to process design data, download assets from official Zeplin APIs, and package the results into a ZIP file. While it utilizes shell commands for file operations and opening the final report, it employs a robust filename sanitization utility in `lib/fsHelpers.mjs` to mitigate command injection risks. No evidence of data exfiltration, unauthorized remote access, or malicious intent was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A saved Zeplin token could allow future exports of designs the token can access, and anyone with access to the local config file may be able to reuse it.
The skill asks for a Zeplin credential and stores it persistently for later authenticated exports. This is disclosed and purpose-aligned, but it is sensitive access.
Tokens are stored in `~/.zeplin-skill-config.json` as a `projectId -> token` mapping ... Please provide a Zeplin Personal Access Token
Use a token with the minimum access needed, avoid sharing broad account tokens, and delete or rotate the token when finished.
The skill will run local scripts and create files/directories while exporting Zeplin data.
The skill instructs the agent to execute bundled Node code locally. This is central to the export function, but it is still local code execution.
node "${CLAUDE_SKILL_DIR}/export_screen.mjs" ... --no-open --quietInstall and run it only in a trusted workspace; review local commands if you are using sensitive projects.
Installing dependencies may pull code from the npm ecosystem into the local environment.
The skill depends on npm-installed packages even though the registry section lists no install spec. A package-lock is present, so this is a normal but noteworthy dependency step.
Install dependencies before the first run: ```bash npm install ```
Prefer installing from the included lockfile, for example with npm ci, and run in a trusted environment.