ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Software UI Design

v1.0.0

软件UI设计辅助技能,涵盖设计文件解析(Figma/Sketch/Adobe XD)、自动标注、切图整理、UI规范检查、设计稿对比、设计系统文档生成。触发场景:解析设计稿、自动标注、设计资产导出、UI规范验证、切图整理、设计转代码、颜色/字体规范提取。

0· 39·0 current·0 all-time
by@xiaochunz030-spec
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (Figma/Sketch/XD parsing, annotation, exporting, design-to-code) broadly matches included code that targets Figma. However SKILL.md and the '核心脚本' list many scripts (sketch_parser.py, annotate.py, export_assets.py, design_to_code.py) and reference files/references that are not present in the package. That gap makes it unclear whether the skill truly implements the claimed capabilities. Additionally, the two provided scripts implement only part of the workflow (Figma parsing and a UI checker) rather than the full feature set described.
Instruction Scope
Runtime instructions describe using the Figma API and user-provided tokens/files, which is consistent with the figma_parser calling api.figma.com. The instructions don't request unrelated system files or external endpoints. However the SKILL.md workflow assumes other parsing/export scripts and a particular report shape; the ui_checker expects a report with an 'elements' array, while figma_parser produces keys like 'colors', 'textStyles', and 'components' — these data-shape mismatches mean following the documented workflow will likely fail without additional glue code.
Install Mechanism
There is no install spec (instruction-only deployment) and no downloads or third-party installers; the included Python scripts run locally. This is low-risk from an install standpoint.
Credentials
Registry metadata lists no required env vars, but SKILL.md explicitly states Figma Personal Access Token is needed and figma_parser expects a token CLI argument. Requesting a Figma PAT is proportionate to the stated Figma integration, but the metadata omission (no declared env requirement) and lack of guidance about minimum token scope are inconsistencies the user should note.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or agent-wide config. The agent is allowed to invoke the skill autonomously (platform default), which by itself is not unusual.
What to consider before installing
What to consider before installing or using this skill: - The package is incomplete: several scripts and reference files listed in SKILL.md are missing. Expect parts of the described workflow (Sketch/XD parsing, export, design-to-code) to be unimplemented. - Data-format mismatch: figma_parser outputs keys like 'colors', 'textStyles', and 'components', while ui_checker expects a report with an 'elements' array. You will likely need to transform outputs locally or update scripts to interoperate. - Token handling: The skill requires a Figma Personal Access Token to call api.figma.com. Only provide a token with the smallest possible scope (read-only, limited to specific files if possible) and prefer using a temporary token. If unsure, run the provided Python scripts locally yourself rather than handing the token to a remote agent. - Code review: The two included scripts are short and readable and call only api.figma.com and local file I/O; no obfuscated code or hidden endpoints were found. Still, review or run the scripts in a sandbox first. - If you need the missing features, ask the publisher for the complete source or the missing scripts (sketch_parser.py, annotate.py, export_assets.py, design_to_code.py and referenced docs). Consider forking and implementing the missing pieces locally rather than trusting an incomplete third-party package. Recommended actions: 1) Do not share broad-scope or long-lived Figma tokens; create a token with minimal permissions and expire it after use. 2) Test the scripts locally on a disposable account or test file before using real project files. 3) Verify/patch the data-flow between figma_parser output and ui_checker input before relying on automated checks. 4) If you want full functionality described in SKILL.md, request the missing scripts or choose another tool with a complete implementation. Confidence note: Assessment is "medium" because the code that exists is benign-looking and coherent for Figma parsing, but the missing files and documentation discrepancies create ambiguity about the package's completeness and intent.

Like a lobster shell, security has layers — review code before you run it.

latestvk978kv6wg0ar2gnkxk01m4brkh83sevn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments