Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Figma to Mobile
v1.2.0Convert Figma designs to mobile UI code. Supports Android (Jetpack Compose, XML) and iOS (SwiftUI, UIKit). Use when a user provides a Figma link and wants mo...
⭐ 0· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description (convert Figma → mobile code) matches the included files and declared requirements: scripts/figma_fetch.py to call the Figma REST API and many platform mapping references. Requesting FIGMA_TOKEN and python3 is appropriate for this purpose. Minor note: SKILL.md metadata includes a pip3 install step for 'requests' even though the registry-level install spec is absent — this is reasonable but the skill will try to install a Python package at runtime.
Instruction Scope
The runtime instructions tell the agent to call the bundled Python scripts to fetch Figma data, do diffs, and (optionally) run project_scan.py on a local project path. Those actions are consistent with the goal, but project_scan.py reads local project files if invoked — so the agent will access local filesystem contents when the user allows it. The skill does not instruct reading unrelated system artifacts or exfiltrating data to unknown endpoints; it uses the Figma API as expected.
Install Mechanism
No external binary downloads or remote installers are present. The only install action in SKILL.md metadata is a straightforward 'pip3 install requests' shell command — a standard Python dependency installation. All code is included in the skill bundle (no arbitrary URL downloads or extract steps).
Credentials
The only required environment credential is FIGMA_TOKEN (declared as primaryEnv), which is necessary to call the Figma API. No other unrelated secrets or config paths are requested. Be aware that a valid FIGMA_TOKEN grants access to whatever Figma resources that token permits (personal access tokens typically allow reading files the token owner can access).
Persistence & Privilege
The skill is not marked 'always: true' and does not request system-wide configuration changes. It contains scripts that may write generated code to disk if run locally, which is expected behavior for a code-generation skill. Autonomous invocation is allowed by default on the platform, which is normal — there is no additional elevated privilege requested by this skill.
Assessment
What to consider before installing and running:
- The skill legitimately needs your FIGMA_TOKEN to fetch design data. Only provide a token with the minimum scope you accept; if unsure, create a short‑lived/revocable token and revoke it after use.
- The skill runs bundled Python scripts (figma_fetch.py, project_scan.py). Running them executes code from this package with your agent's privileges — review the scripts if you want to confirm behavior before execution.
- project_scan.py can read local project files when you pass a path. Don’t run the project scan on directories containing secrets or credentials unless you trust the skill and the environment.
- The SKILL.md requests installing the 'requests' package via pip3; ensure you are comfortable with that in your environment (or run inside a virtualenv/container).
- If you do not want the agent to run these scripts autonomously, restrict the skill's execution in your agent settings or require explicit user invocation for actions that access local files or external services.
- If you have low tolerance for risk, test first in an isolated environment (VM/container) and inspect the code (figma_fetch.py and scanners) before supplying tokens or running project scans.Like a lobster shell, security has layers — review code before you run it.
latestvk977graj01zrsn85m19e1hhch584dpxh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvFIGMA_TOKEN
Primary envFIGMA_TOKEN