中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 48/100
Last scan:1 day ago Rescan
48 /100
figma-agent
Unified Figma skill for OpenClaw. Reads design context via Figma's Remote MCP and routes write/edit/create operations through ACP coding sessions.
The skill reads Figma OAuth tokens from third-party credential stores (Claude Code, Codex, Windsurf) and writes them to OpenClaw config — a credential harvesting pattern that is completely undeclared in SKILL.md, creating significant documentation deception risk.
Skill Namefigma-agent
Duration58.4s
Enginepi
Use with caution
Remove the credential-store scanning logic from token-scanner.mjs. Replace with a user-driven flow where the token is pasted or provided directly, or clearly document the credential scanning in SKILL.md with a prominent security warning explaining exactly which files are read and why.

Attack Chain 6 steps

Entry Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN)
SKILL.md:1
Escalation bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries
scripts/token-scanner.mjs:56
Escalation Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens
scripts/token-scanner.mjs:74
Escalation If --refresh is passed, bootstrap-token.mjs POSTs refresh token to api.figma.com — undeclared network access
scripts/bootstrap-token.mjs:39
Escalation Extracted tokens are written to openclaw.json under mcp.servers.figma — config file modification undeclared
scripts/bootstrap-token.mjs:77
Impact Figma access tokens stored in openclaw.json could be read by other processes with filesystem access to ~/.openclaw/
scripts/bootstrap-token.mjs:77

Findings 5 items

Severity Finding Location
High
Undeclared scanning of Claude Code credential store Credential Theft
token-scanner.mjs reads and parses ~/.claude/.credentials.json, iterating all mcpOAuth keys to extract Figma tokens. This is not declared in SKILL.md's prerequisites or any capability group. While the intent is to bootstrap a Figma MCP token, the scanning pattern (iterating all keys, not just Figma-specific paths) and the absence of any disclosure raises concerns.
for (const [key, val] of Object.entries(mcpOAuth)) {
  if (key.includes('figma') && val?.accessToken) {
→ Either replace with a user-provided token input, or document this clearly in SKILL.md with an explicit list of scanned files and the reasoning.
 scripts/token-scanner.mjs:56
High
Undeclared scanning of Codex and Windsurf credential stores Credential Theft
The same token-scanner.mjs also reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json. SKILL.md mentions 'Claude Code' and 'add Figma in MCP settings' for Codex/Cursor/VS Code, but never describes that this skill will parse their local credential files.
const codexPath = join(HOME, '.codex', 'auth.json');
...
const windsurfPath = join(HOME, '.codeium', 'windsurf', 'mcp_config.json');
→ Document each credential store path explicitly. Consider removing Codex and Windsurf scanning if Figma tokens stored there are not actually needed for this skill.
 scripts/token-scanner.mjs:74
Medium
SKILL.md declares only env and node requirements, omits all file and network access Doc Mismatch
The 'requires' section of SKILL.md only states env: FIGMA_MCP_TOKEN and anyBins: node. It never mentions that bootstrap-token.mjs will read 3 credential files, make HTTP POST requests to api.figma.com, and write to openclaw.json. This constitutes a documentation mismatch on declared vs actual capabilities.
requires:
  env:
    - FIGMA_MCP_TOKEN
  anyBins:
    - node
→ Update the requires section to include filesystem:READ (for credential store scanning), network:WRITE (for token refresh), and filesystem:WRITE (for openclaw.json config updates). Add a security notes section explicitly listing scanned credential file paths.
 SKILL.md:1
Medium
Overly broad key iteration in Claude Code credential parsing Sensitive Access
The Claude Code scan iterates all keys in mcpOAuth (Object.entries) and checks key.includes('figma'). This structural pattern (full key iteration + string containment check) is a common indicator of token harvesting code, even though the specific filter narrows the scope at evaluation time. The same pattern exists for Codex auth.json (all top-level keys iterated).
for (const [key, val] of Object.entries(mcpOAuth)) {
  if (key.includes('figma') && val?.accessToken) {
→ Refactor to use targeted key lookups rather than full object iteration to reduce ambiguity about intent.
 scripts/token-scanner.mjs:60
Low
Token bootstrap script and --refresh flag not documented in SKILL.md Doc Mismatch
SKILL.md describes 'node scripts/bootstrap-token.mjs' but does not document the --refresh flag which performs a network request. The token refresh capability (POST to Figma OAuth endpoint) is entirely absent from documentation.
Token bootstrap:
node scripts/bootstrap-token.mjs          # scan + write
→ Add documentation for all command-line flags: --dry-run, --refresh. Note that --refresh requires network access to api.figma.com.
 SKILL.md:58
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✗ Violation token-scanner.mjs:56-72 reads ~/.claude/.credentials.json, ~/.codex/auth.json, ~…
Filesystem NONE WRITE ✗ Violation bootstrap-token.mjs:77 writes to openclaw.json — SKILL.md declares only FIGMA_MC…
Network NONE WRITE ✗ Violation bootstrap-token.mjs:39-49 POSTs refresh token to api.figma.com/v1/oauth/token — …
Environment READ READ ✓ Aligned SKILL.md declares FIGMA_MCP_TOKEN env requirement; figma-mcp-cli.mjs:9 reads pro…
Shell NONE NONE No subprocess or shell execution found
13 findings
🔗
Medium External URL 外部 URL
https://keepachangelog.com/
CHANGELOG.md:5
🔗
Medium External URL 外部 URL
https://semver.org/
CHANGELOG.md:5
🔗
Medium External URL 外部 URL
https://help.figma.com/hc/en-us/articles/32132100833559
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg
README.md:9
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-v0.1.1-blue.svg
README.md:10
🔗
Medium External URL 外部 URL
https://clawhub.ai
README.md:11
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-skill-purple.svg
README.md:11
🔗
Medium External URL 外部 URL
https://mcp.figma.com/mcp
README.md:37
🔗
Medium External URL 外部 URL
https://nodejs.org
README.md:57
🔗
Medium External URL 外部 URL
https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/
README.md:168
🔗
Medium External URL 外部 URL
https://api.figma.com/v1/oauth/token
scripts/bootstrap-token.mjs:32
🔗
Medium External URL 外部 URL
https://figma.com/mcp
scripts/figma-mcp.mjs:179
📧
Info Email 邮箱地址
[email protected]
package.json:7

File Tree

9 files · 35.4 KB · 961 lines
Markdown 4f · 491L JavaScript 4f · 451L JSON 1f · 19L
├─ 📁 references
│ └─ 📝 figma-api.md Markdown 35L · 1.2 KB
├─ 📁 scripts
│ ├─ 🔑 bootstrap-token.mjs JavaScript 137L · 4.4 KB
│ ├─ 📜 figma-mcp-cli.mjs JavaScript 28L · 925 B
│ ├─ 📜 figma-mcp.mjs JavaScript 196L · 6.9 KB
│ └─ 🔑 token-scanner.mjs JavaScript 90L · 2.8 KB
├─ 📝 CHANGELOG.md Markdown 29L · 1.6 KB
├─ 📋 package.json JSON 19L · 428 B
├─ 📝 README.md Markdown 203L · 7.7 KB
└─ 📝 SKILL.md Markdown 224L · 9.4 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A none No No npm dependencies — pure Node.js built-ins (fs, os, path, fetch)

Security Positives

✓ Zero npm dependencies in package.json — eliminates supply-chain attack surface entirely
✓ No base64 encoding, eval(), or obfuscated code patterns anywhere in the codebase
✓ Tokens are written only to the local openclaw.json config, not exfiltrated to external servers
✓ Token refresh targets the official Figma OAuth endpoint (api.figma.com), not an attacker-controlled server
✓ Claude Code token scan includes a Figma-scope filter (key.includes('figma')) limiting data exposure
✓ No reverse shell, C2 communication, or data theft chains identified
✓ Code is modular with clear separation: token-scanner.mjs (file I/O), bootstrap-token.mjs (network + config), figma-mcp.mjs (MCP client)