zeplin-to-prompt Security Report — Trusted | ClawSafe

5 /100

zeplin-to-prompt

Export Zeplin designs into structured layer tree with local assets, package as zip

Legitimate Zeplin design export tool with no malicious behavior detected. All functionality is properly documented, dependencies are standard SDK packages, and credential handling follows legitimate patterns for API token storage.

Skill Namezeplin-to-prompt

Duration56.2s

Enginepi

✓

Safe to install

This skill is safe to use. It requires filesystem:WRITE for creating exports and network:READ for accessing Zeplin's public API. No additional security concerns identified.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares WRITE for export files; code writes to build/ directory
Network	`READ`	`READ`	✓ Aligned	Only accesses api.zeplin.dev official API; asset downloads via HTTPS
Shell	`MINIMAL`	`MINIMAL`	✓ Aligned	Uses grep, zip, open, and node commands as documented in SKILL.md

9 findings

🔗

Medium External URL 外部 URL

https://app.zeplin.io/project/

README.md:18

🔗

Medium External URL 外部 URL

https://app\.zeplin\.io/project/[^[:space:

SKILL.md:17

🔗

Medium External URL 外部 URL

https://app.zeplin.io/project/xxx/screen/aaa

SKILL.md:24

🔗

Medium External URL 外部 URL

https://app.zeplin.io/project/xxx/screen/bbb

SKILL.md:25

🔗

Medium External URL 外部 URL

https://api.zeplin.dev/v1

export_project.mjs:48

🔗

Medium External URL 外部 URL

https://app.zeplin.io/project/xxx/screen/yyy

export_screen.mjs:20

🔗

Medium External URL 外部 URL

https://app.zeplin.io/project/$

lib/htmlDocument.mjs:23

🔗

Medium External URL 外部 URL

https://opencollective.com/core-js

package-lock.json:78

🔗

Medium External URL 外部 URL

https://dotenvx.com

package-lock.json:99

File Tree

20 files · 171.2 KB · 4541 lines

JavaScript 15f · 3899L JSON 2f · 353L Markdown 2f · 213L CSS 1f · 76L

├─ ▾ 📁 lib

│ ├─ 📜 assets.mjs JavaScript 282L · 9.2 KB

│ ├─ 📜 fsHelpers.mjs JavaScript 29L · 989 B

│ ├─ 📜 htmlDocument.mjs JavaScript 83L · 4.2 KB

│ ├─ 📜 layerTree.mjs JavaScript 505L · 19.1 KB

│ ├─ 📜 logger.mjs JavaScript 34L · 887 B

│ ├─ 📜 minifyLayout.mjs JavaScript 158L · 4.8 KB

│ ├─ 📜 previewClient.js JavaScript 1238L · 45.3 KB

│ ├─ 📄 previewStyles.css CSS 76L · 8.1 KB

│ ├─ 📜 renderHtml.mjs JavaScript 4L · 233 B

│ ├─ 📜 renderIndex.mjs JavaScript 74L · 3.5 KB

│ ├─ 📜 renderLayer.mjs JavaScript 344L · 16.1 KB

│ ├─ 📜 renderTree.mjs JavaScript 98L · 4.9 KB

│ ├─ 📜 styleMapping.mjs JavaScript 590L · 20.6 KB

│ └─ 📜 zeplinClient.mjs JavaScript 8L · 345 B

├─ 📜 export_project.mjs JavaScript 203L · 6.7 KB

├─ 📜 export_screen.mjs JavaScript 249L · 8.6 KB

├─ 📋 package-lock.json JSON 337L · 11.6 KB

├─ 📋 package.json JSON 16L · 303 B

├─ 📝 README.md Markdown 65L · 1.9 KB

└─ 📝 SKILL.md Markdown 148L · 4.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@zeplin/sdk`	`^1.34.0`	npm	No	Official Zeplin SDK, version pinned
`dotenv`	`^17.2.3`	npm	No	Environment variable loading, version pinned

Security Positives

✓ All functionality fully documented in SKILL.md

✓ Dependencies (@zeplin/sdk, dotenv) are standard, pinned packages

✓ No credential exfiltration - tokens stored locally with 0o600 permissions

✓ Network requests limited to official Zeplin API (api.zeplin.dev)

✓ Asset downloads over HTTPS with redirect limit (MAX_DOWNLOAD_REDIRECTS = 5)

✓ No base64-encoded execution or obfuscation detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No environment variable enumeration or credential harvesting

✓ Proper error handling throughout (try/catch blocks)

✓ Input sanitization for file paths (sanitizeFileName function)

Scan Report

File Tree

Dependencies 2 items

Security Positives