UI Prototype Generator
v1.0.0从参考图片或描述生成交互式原型。默认输出 HTML 格式,仅在用户明确要求时使用 Figma。支持 (1) 用于网页预览和测试的 HTML 原型,(2) 通过 API 生成 Figma 设计文件用于设计交接和协作,(3) 基于组件架构的可复用 UI 元素,(4) 响应式布局和交互状态,(5) 基于反馈的快速迭代。
⭐ 0· 163·1 current·1 all-time
byyingle@zhappy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill name/description align with included assets: HTML generator, Figma generator, component references, and a bundled Figma plugin. Requiring a Figma token only for Figma output is appropriate and supported by an auth-profiles.template.json file.
Instruction Scope
SKILL.md stays mostly within scope (generate HTML by default; call Figma API only on explicit request). However, the doc instructs the agent to 'prompt the user for a Figma token' and to 'save' it to auth-profiles.json; that flow is ambiguous and could lead to users pasting secrets into the chat (exposing tokens to the model/authed logs). The exact mechanism for securely writing auth-profiles.json is not specified, and some runtime behaviors (how the agent prompts, where it saves files) are left to implementation, granting the agent discretion that could leak secrets if mishandled.
Install Mechanism
No external install spec or remote downloads are present; the skill is instruction-first and ships local scripts and a Figma plugin. No risky download URLs or extract/install steps were observed.
Credentials
The skill does not declare required env vars in metadata, yet the docs show using a FIGMA_ACCESS_TOKEN (via auth-profiles.json or an env var in examples). Requesting a Figma personal access token only when using Figma is proportionate; nevertheless, the skill asks users to provide/store that token without a clear secure workflow in the SKILL.md, and the example showing `export FIGMA_ACCESS_TOKEN=$(cat auth-profiles.json | jq -r '.profiles.figma.access_token')` suggests reading a local file — acceptable — but the doc also suggests the user may supply the token to the agent directly (risk of exposure).
Persistence & Privilege
always:false and no statements about modifying other skills or system-wide settings. The skill stores credentials in a local auth-profiles.json template and includes no 'always' or elevated privileges.
Assessment
This skill appears to do what it says: generate HTML prototypes by default and call the Figma API only when asked. Before installing or using it, review these points: (1) Never paste your Figma Personal Access Token into a chat with the agent unless you explicitly trust that channel — prefer creating the auth-profiles.json file in the path the skill documents (or set the env var) so the agent reads the token from disk rather than you typing it into conversation. (2) Inspect scripts/scripts/figma_generator.py and scripts/html_generator.py (they are included) to confirm API calls go only to api.figma.com and that there is no hidden logging/exfiltration. (3) Limit the Figma token scope to the minimum needed, and rotate/revoke it after testing. (4) When running any included script locally, run it in a sandbox or with least privileges; avoid running unknown scripts as root. (5) The SKILL.md is somewhat vague about how tokens are 'securely saved' — if you plan to use Figma output, set up auth-profiles.json yourself in the documented location rather than pasting credentials into the assistant. If you want higher assurance, ask the maintainer for a security walkthrough or review the full python scripts before enabling Figma integrations.Like a lobster shell, security has layers — review code before you run it.
latestvk9712g3zpj12c0dcy17e760w7h83pqd3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.