Figma to Mobile
PassAudited by ClawScan on May 9, 2026.
Overview
The skill’s use of a Figma token, Figma API calls, local Python scripts, and optional project scanning is disclosed and aligned with converting Figma designs into mobile UI code.
This skill appears coherent for its purpose. Before installing, make sure you are comfortable giving it a Figma token, install Python dependencies in an isolated environment if possible, and review any generated project scan reports before sharing them outside your machine or organization.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access Figma files available to the token/account used.
The skill explicitly requires a Figma personal access token so its script can call the Figma REST API.
`requires`: { `bins`: [`python3`], `env`: [`FIGMA_TOKEN`] }, `primaryEnv`: `FIGMA_TOKEN`Use a token from the least-privileged Figma account or workspace appropriate for the task, keep the token out of chat logs, and revoke it if it is no longer needed.
Installing packages globally or without version pinning can change the local Python environment and may reduce reproducibility.
The skill documents installing an external Python package without a pinned version. This is expected for a Python Figma API helper, but it is still an external dependency.
`command`: `pip3 install requests`
Install dependencies in a virtual environment and pin or review package versions if using this in a controlled development environment.
The scan report may contain internal project strings, resource names, image names, or component names that could be exposed if shared with an external agent or copied into logs.
The optional project scan creates a local report of project resources and strings for later use during code generation.
`python scripts/project_scan.py /path/to/project --json --output scan-report.json` ... produces a report with: `All colors, strings, images, custom views in the project`
Run the scan only on the intended project path, review the generated report before sharing it, and avoid scanning projects that contain secrets in resource files.