ClawHub

Figma Bridge

v1.0.2

Extract design information from Figma files. Pull design tokens, component structure, colors, typography, spacing, and export assets. Use when the user asks...

0· 141·0 current·0 all-time
byHa Le@vanthienha199
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description ask to extract design info from Figma and the instructions only request a Figma Personal Access Token and use the official Figma REST endpoints — this is proportional and expected.
Instruction Scope
SKILL.md exclusively describes calling Figma read endpoints via curl, parsing file keys/node ids, and exporting assets to a local ./figma-exports/ folder. These actions are within scope, but exporting writes files to disk and the agent will perform network calls using a sensitive token — verify the agent does not read unrelated local files or transmit exports to other endpoints.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk (nothing is written or executed during install).
Credentials
Only FIGMA_TOKEN is required which matches the stated purpose. However, the token is sensitive and may carry broader scopes than 'read-only' depending on how it was generated; the skill itself claims it will not store tokens to disk but cannot enforce token scopes.
Persistence & Privilege
Skill is not always-enabled and does not request modification of agent/system settings. It does not declare persistent installation or elevated privileges.
Assessment
This skill appears to do what it says: it reads Figma files using your FIGMA_TOKEN and can export assets locally. Before installing or enabling it, consider the following: (1) Create a dedicated Figma Personal Access Token with the minimum permissions needed (avoid using broad org/admin tokens); (2) Treat the FIGMA_TOKEN as sensitive — do not paste it into chat, logs, or shared places; revoke/rotate the token when no longer needed; (3) Confirm exports are written only to a safe local directory (the skill uses ./figma-exports/) and that the agent will not upload those files to external endpoints; (4) Because the skill's source/homepage is unknown, you cannot audit additional behavior beyond SKILL.md — if you need stronger assurance, ask the publisher for source code or run the agent in an isolated environment; (5) If you are concerned about autonomous agent actions, restrict or review autonomous invocation for this skill. These steps reduce risk though they do not eliminate it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972qv1j3szvf06vqjcjwt60vn83qwz9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
FIGMA_TOKENrequiredFigma Personal Access Token (generate at figma.com → Settings → Personal Access Tokens)

Comments