Skill Trust Decision
figma-agent
The skill reads Figma OAuth tokens from third-party credential stores (Claude Code, Codex, Windsurf) and writes them to OpenClaw config — a credential harvesting pattern that is completely undeclared in SKILL.md, creating significant documentation deception risk.
Most direct threat evidence
01
Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN) Entry · SKILL.md
02
bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries reconnaissance · scripts/token-scanner.mjs
03
Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens reconnaissance · scripts/token-scanner.mjs
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
13 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 6 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN)
Entry · SKILL.md:1
02
bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries
reconnaissance · scripts/token-scanner.mjs:56
03
Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens
reconnaissance · scripts/token-scanner.mjs:74
04
If --refresh is passed, bootstrap-token.mjs POSTs refresh token to api.figma.com — undeclared network access
Escalation · scripts/bootstrap-token.mjs:39
05
Extracted tokens are written to openclaw.json under mcp.servers.figma — config file modification undeclared
Persistence · scripts/bootstrap-token.mjs:77
06
Figma access tokens stored in openclaw.json could be read by other processes with filesystem access to ~/.openclaw/
Impact · scripts/bootstrap-token.mjs:77
What drove the risk score up
Undeclared credential file access +20
SKILL.md never mentions that bootstrap-token.mjs scans ~/.claude/.credentials.json, ~/.codex/auth.json, and ~/.codeium/windsurf/mcp_config.json for OAuth tokens — this is a critical omission
Credential scanning logic is hidden in token-scanner.mjs +10
The token-scanner.mjs file iterates all keys in mcpOAuth and all top-level keys in auth.json, making it structurally capable of harvesting non-Figma tokens beyond declared scope
Undeclared network access +8
bootstrap-token.mjs performs POST to api.figma.com for token refresh, not declared in SKILL.md prerequisites or capability groups
Undeclared filesystem WRITE +5
Token is written to openclaw.json (filesystem:WRITE) — SKILL.md only declares FIGMA_MCP_TOKEN env requirement, not config file modification
Positive: No evidence of exfiltration +-5
Tokens are written only to openclaw.json, not exfiltrated to third-party servers; refresh targets official Figma API
Positive: Figma-scope filtering +-3
Claude Code token scan filters by key.includes('figma'), reducing scope of harvested data
Most important evidence
High Credential Theft
Undeclared scanning of Claude Code credential store
token-scanner.mjs reads and parses ~/.claude/.credentials.json, iterating all mcpOAuth keys to extract Figma tokens. This is not declared in SKILL.md's prerequisites or any capability group. While the intent is to bootstrap a Figma MCP token, the scanning pattern (iterating all keys, not just Figma-specific paths) and the absence of any disclosure raises concerns.
scripts/token-scanner.mjs:56 Either replace with a user-provided token input, or document this clearly in SKILL.md with an explicit list of scanned files and the reasoning.
High Credential Theft
Undeclared scanning of Codex and Windsurf credential stores
The same token-scanner.mjs also reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json. SKILL.md mentions 'Claude Code' and 'add Figma in MCP settings' for Codex/Cursor/VS Code, but never describes that this skill will parse their local credential files.
scripts/token-scanner.mjs:74 Document each credential store path explicitly. Consider removing Codex and Windsurf scanning if Figma tokens stored there are not actually needed for this skill.
Medium Doc Mismatch
SKILL.md declares only env and node requirements, omits all file and network access
The 'requires' section of SKILL.md only states env: FIGMA_MCP_TOKEN and anyBins: node. It never mentions that bootstrap-token.mjs will read 3 credential files, make HTTP POST requests to api.figma.com, and write to openclaw.json. This constitutes a documentation mismatch on declared vs actual capabilities.
SKILL.md:1 Update the requires section to include filesystem:READ (for credential store scanning), network:WRITE (for token refresh), and filesystem:WRITE (for openclaw.json config updates). Add a security notes section explicitly listing scanned credential file paths.
Medium Sensitive Access
Overly broad key iteration in Claude Code credential parsing
The Claude Code scan iterates all keys in mcpOAuth (Object.entries) and checks key.includes('figma'). This structural pattern (full key iteration + string containment check) is a common indicator of token harvesting code, even though the specific filter narrows the scope at evaluation time. The same pattern exists for Codex auth.json (all top-level keys iterated).
scripts/token-scanner.mjs:60 Refactor to use targeted key lookups rather than full object iteration to reduce ambiguity about intent.
Low Doc Mismatch
Token bootstrap script and --refresh flag not documented in SKILL.md
SKILL.md describes 'node scripts/bootstrap-token.mjs' but does not document the --refresh flag which performs a network request. The token refresh capability (POST to Figma OAuth endpoint) is entirely absent from documentation.
SKILL.md:58 Add documentation for all command-line flags: --dry-run, --refresh. Note that --refresh requires network access to api.figma.com.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred READ
token-scanner.mjs:56-72 reads ~/.claude/.credentials.json, ~/.codex/auth.json, ~/.codeium/windsurf/mcp_config.json — no filesystem:READ declared anywhere in SKILL.md Filesystem Block
Declared NONE
→ Inferred WRITE
bootstrap-token.mjs:77 writes to openclaw.json — SKILL.md declares only FIGMA_MCP_TOKEN env requirement, not config file writes Network Block
Declared NONE
→ Inferred WRITE
bootstrap-token.mjs:39-49 POSTs refresh token to api.figma.com/v1/oauth/token — no network access declared in SKILL.md Environment Pass
Declared READ
→ Inferred READ
SKILL.md declares FIGMA_MCP_TOKEN env requirement; figma-mcp-cli.mjs:9 reads process.env.FIGMA_MCP_TOKEN Shell Pass
Declared NONE
→ Inferred NONE
No subprocess or shell execution found Suspicious artifacts and egress
Medium External URL
https://keepachangelog.com/ CHANGELOG.md:5
Medium External URL
https://semver.org/ CHANGELOG.md:5
Medium External URL
https://help.figma.com/hc/en-us/articles/32132100833559 README.md:5
Medium External URL
https://img.shields.io/badge/License-MIT-green.svg README.md:9
Medium External URL
https://img.shields.io/badge/version-v0.1.1-blue.svg README.md:10
Medium External URL
https://clawhub.ai README.md:11
Medium External URL
https://img.shields.io/badge/ClawHub-skill-purple.svg README.md:11
Medium External URL
https://mcp.figma.com/mcp README.md:37
Medium External URL
https://nodejs.org README.md:57
Medium External URL
https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/ README.md:168
Medium External URL
https://api.figma.com/v1/oauth/token scripts/bootstrap-token.mjs:32
Medium External URL
https://figma.com/mcp scripts/figma-mcp.mjs:179
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| none | N/A | none | No | No npm dependencies — pure Node.js built-ins (fs, os, path, fetch) |
File composition
9 files · 961 lines
Markdown 4 files · 491 linesJavaScript 4 files · 451 linesJSON 1 files · 19 lines
Files of concern · 7
scripts/bootstrap-token.mjs https://api.figma.com/v1/oauth/token
scripts/token-scanner.mjs Undeclared scanning of Claude Code credential store · Undeclared scanning of Codex and Windsurf credential stores · Overly broad key iteration in Claude Code credential parsing
SKILL.md SKILL.md declares only env and node requirements, omits all file and network access · Token bootstrap script and --refresh flag not documented in SKILL.md
README.md https://help.figma.com/hc/en-us/articles/32132100833559 · https://img.shields.io/badge/License-MIT-green.svg · https://img.shields.io/badge/version-v0.1.1-blue.svg · https://clawhub.ai · https://img.shields.io/badge/ClawHub-skill-purple.svg · https://mcp.figma.com/mcp · https://nodejs.org · https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/
scripts/figma-mcp.mjs https://figma.com/mcp
CHANGELOG.md https://keepachangelog.com/ · https://semver.org/
package.json Other files · figma-api.md · figma-mcp-cli.mjs
Security positives
Zero npm dependencies in package.json — eliminates supply-chain attack surface entirely
No base64 encoding, eval(), or obfuscated code patterns anywhere in the codebase
Tokens are written only to the local openclaw.json config, not exfiltrated to external servers
Token refresh targets the official Figma OAuth endpoint (api.figma.com), not an attacker-controlled server
Claude Code token scan includes a Figma-scope filter (key.includes('figma')) limiting data exposure
No reverse shell, C2 communication, or data theft chains identified
Code is modular with clear separation: token-scanner.mjs (file I/O), bootstrap-token.mjs (network + config), figma-mcp.mjs (MCP client)