中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 48/100
上次扫描:1 天前 重新扫描
48 /100
figma-agent
Unified Figma skill for OpenClaw. Reads design context via Figma's Remote MCP and routes write/edit/create operations through ACP coding sessions.
The skill reads Figma OAuth tokens from third-party credential stores (Claude Code, Codex, Windsurf) and writes them to OpenClaw config — a credential harvesting pattern that is completely undeclared in SKILL.md, creating significant documentation deception risk.
技能名称figma-agent
分析耗时58.4s
引擎pi
谨慎使用
Remove the credential-store scanning logic from token-scanner.mjs. Replace with a user-driven flow where the token is pasted or provided directly, or clearly document the credential scanning in SKILL.md with a prominent security warning explaining exactly which files are read and why.

攻击链 6 步

入口 Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN)
SKILL.md:1
提权 bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries
scripts/token-scanner.mjs:56
提权 Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens
scripts/token-scanner.mjs:74
提权 If --refresh is passed, bootstrap-token.mjs POSTs refresh token to api.figma.com — undeclared network access
scripts/bootstrap-token.mjs:39
提权 Extracted tokens are written to openclaw.json under mcp.servers.figma — config file modification undeclared
scripts/bootstrap-token.mjs:77
影响 Figma access tokens stored in openclaw.json could be read by other processes with filesystem access to ~/.openclaw/
scripts/bootstrap-token.mjs:77

安全发现 5 项

严重性 安全发现 位置
高危
Undeclared scanning of Claude Code credential store 凭证窃取
token-scanner.mjs reads and parses ~/.claude/.credentials.json, iterating all mcpOAuth keys to extract Figma tokens. This is not declared in SKILL.md's prerequisites or any capability group. While the intent is to bootstrap a Figma MCP token, the scanning pattern (iterating all keys, not just Figma-specific paths) and the absence of any disclosure raises concerns.
for (const [key, val] of Object.entries(mcpOAuth)) {
  if (key.includes('figma') && val?.accessToken) {
→ Either replace with a user-provided token input, or document this clearly in SKILL.md with an explicit list of scanned files and the reasoning.
 scripts/token-scanner.mjs:56
高危
Undeclared scanning of Codex and Windsurf credential stores 凭证窃取
The same token-scanner.mjs also reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json. SKILL.md mentions 'Claude Code' and 'add Figma in MCP settings' for Codex/Cursor/VS Code, but never describes that this skill will parse their local credential files.
const codexPath = join(HOME, '.codex', 'auth.json');
...
const windsurfPath = join(HOME, '.codeium', 'windsurf', 'mcp_config.json');
→ Document each credential store path explicitly. Consider removing Codex and Windsurf scanning if Figma tokens stored there are not actually needed for this skill.
 scripts/token-scanner.mjs:74
中危
SKILL.md declares only env and node requirements, omits all file and network access 文档欺骗
The 'requires' section of SKILL.md only states env: FIGMA_MCP_TOKEN and anyBins: node. It never mentions that bootstrap-token.mjs will read 3 credential files, make HTTP POST requests to api.figma.com, and write to openclaw.json. This constitutes a documentation mismatch on declared vs actual capabilities.
requires:
  env:
    - FIGMA_MCP_TOKEN
  anyBins:
    - node
→ Update the requires section to include filesystem:READ (for credential store scanning), network:WRITE (for token refresh), and filesystem:WRITE (for openclaw.json config updates). Add a security notes section explicitly listing scanned credential file paths.
 SKILL.md:1
中危
Overly broad key iteration in Claude Code credential parsing 敏感访问
The Claude Code scan iterates all keys in mcpOAuth (Object.entries) and checks key.includes('figma'). This structural pattern (full key iteration + string containment check) is a common indicator of token harvesting code, even though the specific filter narrows the scope at evaluation time. The same pattern exists for Codex auth.json (all top-level keys iterated).
for (const [key, val] of Object.entries(mcpOAuth)) {
  if (key.includes('figma') && val?.accessToken) {
→ Refactor to use targeted key lookups rather than full object iteration to reduce ambiguity about intent.
 scripts/token-scanner.mjs:60
低危
Token bootstrap script and --refresh flag not documented in SKILL.md 文档欺骗
SKILL.md describes 'node scripts/bootstrap-token.mjs' but does not document the --refresh flag which performs a network request. The token refresh capability (POST to Figma OAuth endpoint) is entirely absent from documentation.
Token bootstrap:
node scripts/bootstrap-token.mjs          # scan + write
→ Add documentation for all command-line flags: --dry-run, --refresh. Note that --refresh requires network access to api.figma.com.
 SKILL.md:58
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✗ 越权 token-scanner.mjs:56-72 reads ~/.claude/.credentials.json, ~/.codex/auth.json, ~…
文件系统 NONE WRITE ✗ 越权 bootstrap-token.mjs:77 writes to openclaw.json — SKILL.md declares only FIGMA_MC…
网络访问 NONE WRITE ✗ 越权 bootstrap-token.mjs:39-49 POSTs refresh token to api.figma.com/v1/oauth/token — …
环境变量 READ READ ✓ 一致 SKILL.md declares FIGMA_MCP_TOKEN env requirement; figma-mcp-cli.mjs:9 reads pro…
命令执行 NONE NONE No subprocess or shell execution found
13 项发现
🔗
中危 外部 URL 外部 URL
https://keepachangelog.com/
CHANGELOG.md:5
🔗
中危 外部 URL 外部 URL
https://semver.org/
CHANGELOG.md:5
🔗
中危 外部 URL 外部 URL
https://help.figma.com/hc/en-us/articles/32132100833559
README.md:5
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg
README.md:9
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/version-v0.1.1-blue.svg
README.md:10
🔗
中危 外部 URL 外部 URL
https://clawhub.ai
README.md:11
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/ClawHub-skill-purple.svg
README.md:11
🔗
中危 外部 URL 外部 URL
https://mcp.figma.com/mcp
README.md:37
🔗
中危 外部 URL 外部 URL
https://nodejs.org
README.md:57
🔗
中危 外部 URL 外部 URL
https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/
README.md:168
🔗
中危 外部 URL 外部 URL
https://api.figma.com/v1/oauth/token
scripts/bootstrap-token.mjs:32
🔗
中危 外部 URL 外部 URL
https://figma.com/mcp
scripts/figma-mcp.mjs:179
📧
提示 邮箱 邮箱地址
[email protected]
package.json:7

目录结构

9 文件 · 35.4 KB · 961 行
Markdown 4f · 491L JavaScript 4f · 451L JSON 1f · 19L
├─ 📁 references
│ └─ 📝 figma-api.md Markdown 35L · 1.2 KB
├─ 📁 scripts
│ ├─ 🔑 bootstrap-token.mjs JavaScript 137L · 4.4 KB
│ ├─ 📜 figma-mcp-cli.mjs JavaScript 28L · 925 B
│ ├─ 📜 figma-mcp.mjs JavaScript 196L · 6.9 KB
│ └─ 🔑 token-scanner.mjs JavaScript 90L · 2.8 KB
├─ 📝 CHANGELOG.md Markdown 29L · 1.6 KB
├─ 📋 package.json JSON 19L · 428 B
├─ 📝 README.md Markdown 203L · 7.7 KB
└─ 📝 SKILL.md Markdown 224L · 9.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A none No npm dependencies — pure Node.js built-ins (fs, os, path, fetch)

安全亮点

✓ Zero npm dependencies in package.json — eliminates supply-chain attack surface entirely
✓ No base64 encoding, eval(), or obfuscated code patterns anywhere in the codebase
✓ Tokens are written only to the local openclaw.json config, not exfiltrated to external servers
✓ Token refresh targets the official Figma OAuth endpoint (api.figma.com), not an attacker-controlled server
✓ Claude Code token scan includes a Figma-scope filter (key.includes('figma')) limiting data exposure
✓ No reverse shell, C2 communication, or data theft chains identified
✓ Code is modular with clear separation: token-scanner.mjs (file I/O), bootstrap-token.mjs (network + config), figma-mcp.mjs (MCP client)