figma-desktop Security Report — Low Risk | ClawSafe

15 /100

figma-desktop

Figma 桌面 MCP Skill - 通过 Figma 桌面应用本地 MCP 服务访问完整功能

Figma Desktop MCP Skill is a documentation-only skill providing instructions for connecting to Figma's local MCP server via mcporter - no executable code is present and no malicious behavior detected.

Skill Namefigma-desktop

Duration34.8s

Enginepi

✓

Safe to install

The skill is safe for use. Consider pinning the mcporter version in installation instructions to improve supply chain security.

Findings 1 items

Severity	Finding	Location
Low	Unpinned npm package installation Supply Chain The skill instructs users to install mcporter via 'npm install -g mcporter' without specifying a version. This could lead to unexpected behavior if the package changes in the future. `npm install -g mcporter` → Pin to a specific version: npm install -g [email protected]	`SKILL.md:47`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations found in SKILL.md
Network	`READ`	`READ`	✓ Aligned	Only localhost:3845 (Figma MCP) and documentation URLs referenced
Shell	`NONE`	`NONE`	—	No shell commands executed by skill - only user-invoked CLI commands documented

5 findings

🔗

Medium External URL 外部 URL

http://127.0.0.1:3845/mcp

SKILL.md:8

🔗

Medium External URL 外部 URL

https://www.figma.com/downloads/

SKILL.md:33

🔗

Medium External URL 外部 URL

https://developers.figma.com/docs/figma-mcp-server/

SKILL.md:270

🔗

Medium External URL 外部 URL

https://www.figma.com/blog/introducing-figma-mcp-server/

SKILL.md:271

🔗

Medium External URL 外部 URL

https://developers.figma.com/code-connect/

SKILL.md:272

File Tree

1 files · 6.9 KB · 272 lines

Markdown 1f · 272L

└─ 📝 SKILL.md Markdown 272L · 6.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`mcporter`	`unpinned`	npm	No	Version not pinned in documentation

Security Positives

✓ Skill is purely documentation - no hidden executable code

✓ Network access is strictly localhost (127.0.0.1:3845) for Figma MCP

✓ No credential harvesting or environment variable access

✓ No obfuscation or base64-encoded payloads

✓ No sensitive file system access (.ssh, .aws, .env, etc.)

✓ No data exfiltration or external IP communication

✓ No reverse shell or command execution capabilities

✓ Legitimate Figma integration documented with clear use cases

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives