安全决策报告
figma-agent
The skill reads Figma OAuth tokens from third-party credential stores (Claude Code, Codex, Windsurf) and writes them to OpenClaw config — a credential harvesting pattern that is completely undeclared in SKILL.md, creating significant documentation deception risk.
最直接的威胁证据
01
Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN) 初始入口 · SKILL.md
02
bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries reconnaissance · scripts/token-scanner.mjs
03
Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens reconnaissance · scripts/token-scanner.mjs
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 13 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 6 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Skill presents as a legitimate Figma design tool with minimal requirements (node + FIGMA_MCP_TOKEN)
初始入口 · SKILL.md:1
02
bootstrap-token.mjs invokes token-scanner.mjs which reads ~/.claude/.credentials.json, iterating all mcpOAuth entries
reconnaissance · scripts/token-scanner.mjs:56
03
Same scanner reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json for additional tokens
reconnaissance · scripts/token-scanner.mjs:74
04
If --refresh is passed, bootstrap-token.mjs POSTs refresh token to api.figma.com — undeclared network access
权限提升 · scripts/bootstrap-token.mjs:39
05
Extracted tokens are written to openclaw.json under mcp.servers.figma — config file modification undeclared
持久化 · scripts/bootstrap-token.mjs:77
06
Figma access tokens stored in openclaw.json could be read by other processes with filesystem access to ~/.openclaw/
最终危害 · scripts/bootstrap-token.mjs:77
风险分是怎么被拉高的
Undeclared credential file access +20
SKILL.md never mentions that bootstrap-token.mjs scans ~/.claude/.credentials.json, ~/.codex/auth.json, and ~/.codeium/windsurf/mcp_config.json for OAuth tokens — this is a critical omission
Credential scanning logic is hidden in token-scanner.mjs +10
The token-scanner.mjs file iterates all keys in mcpOAuth and all top-level keys in auth.json, making it structurally capable of harvesting non-Figma tokens beyond declared scope
Undeclared network access +8
bootstrap-token.mjs performs POST to api.figma.com for token refresh, not declared in SKILL.md prerequisites or capability groups
Undeclared filesystem WRITE +5
Token is written to openclaw.json (filesystem:WRITE) — SKILL.md only declares FIGMA_MCP_TOKEN env requirement, not config file modification
Positive: No evidence of exfiltration +-5
Tokens are written only to openclaw.json, not exfiltrated to third-party servers; refresh targets official Figma API
Positive: Figma-scope filtering +-3
Claude Code token scan filters by key.includes('figma'), reducing scope of harvested data
最关键的证据
高危 凭证窃取
Undeclared scanning of Claude Code credential store
token-scanner.mjs reads and parses ~/.claude/.credentials.json, iterating all mcpOAuth keys to extract Figma tokens. This is not declared in SKILL.md's prerequisites or any capability group. While the intent is to bootstrap a Figma MCP token, the scanning pattern (iterating all keys, not just Figma-specific paths) and the absence of any disclosure raises concerns.
scripts/token-scanner.mjs:56 Either replace with a user-provided token input, or document this clearly in SKILL.md with an explicit list of scanned files and the reasoning.
高危 凭证窃取
Undeclared scanning of Codex and Windsurf credential stores
The same token-scanner.mjs also reads ~/.codex/auth.json and ~/.codeium/windsurf/mcp_config.json. SKILL.md mentions 'Claude Code' and 'add Figma in MCP settings' for Codex/Cursor/VS Code, but never describes that this skill will parse their local credential files.
scripts/token-scanner.mjs:74 Document each credential store path explicitly. Consider removing Codex and Windsurf scanning if Figma tokens stored there are not actually needed for this skill.
中危 文档欺骗
SKILL.md declares only env and node requirements, omits all file and network access
The 'requires' section of SKILL.md only states env: FIGMA_MCP_TOKEN and anyBins: node. It never mentions that bootstrap-token.mjs will read 3 credential files, make HTTP POST requests to api.figma.com, and write to openclaw.json. This constitutes a documentation mismatch on declared vs actual capabilities.
SKILL.md:1 Update the requires section to include filesystem:READ (for credential store scanning), network:WRITE (for token refresh), and filesystem:WRITE (for openclaw.json config updates). Add a security notes section explicitly listing scanned credential file paths.
中危 敏感访问
Overly broad key iteration in Claude Code credential parsing
The Claude Code scan iterates all keys in mcpOAuth (Object.entries) and checks key.includes('figma'). This structural pattern (full key iteration + string containment check) is a common indicator of token harvesting code, even though the specific filter narrows the scope at evaluation time. The same pattern exists for Codex auth.json (all top-level keys iterated).
scripts/token-scanner.mjs:60 Refactor to use targeted key lookups rather than full object iteration to reduce ambiguity about intent.
低危 文档欺骗
Token bootstrap script and --refresh flag not documented in SKILL.md
SKILL.md describes 'node scripts/bootstrap-token.mjs' but does not document the --refresh flag which performs a network request. The token refresh capability (POST to Figma OAuth endpoint) is entirely absent from documentation.
SKILL.md:58 Add documentation for all command-line flags: --dry-run, --refresh. Note that --refresh requires network access to api.figma.com.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 READ
token-scanner.mjs:56-72 reads ~/.claude/.credentials.json, ~/.codex/auth.json, ~/.codeium/windsurf/mcp_config.json — no filesystem:READ declared anywhere in SKILL.md 文件系统 阻止
声明 NONE
→ 推断 WRITE
bootstrap-token.mjs:77 writes to openclaw.json — SKILL.md declares only FIGMA_MCP_TOKEN env requirement, not config file writes 网络访问 阻止
声明 NONE
→ 推断 WRITE
bootstrap-token.mjs:39-49 POSTs refresh token to api.figma.com/v1/oauth/token — no network access declared in SKILL.md 环境变量 通过
声明 READ
→ 推断 READ
SKILL.md declares FIGMA_MCP_TOKEN env requirement; figma-mcp-cli.mjs:9 reads process.env.FIGMA_MCP_TOKEN 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess or shell execution found 可疑产物与外联
中危 外部 URL
https://keepachangelog.com/ CHANGELOG.md:5
中危 外部 URL
https://semver.org/ CHANGELOG.md:5
中危 外部 URL
https://help.figma.com/hc/en-us/articles/32132100833559 README.md:5
中危 外部 URL
https://img.shields.io/badge/License-MIT-green.svg README.md:9
中危 外部 URL
https://img.shields.io/badge/version-v0.1.1-blue.svg README.md:10
中危 外部 URL
https://clawhub.ai README.md:11
中危 外部 URL
https://img.shields.io/badge/ClawHub-skill-purple.svg README.md:11
中危 外部 URL
https://mcp.figma.com/mcp README.md:37
中危 外部 URL
https://nodejs.org README.md:57
中危 外部 URL
https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/ README.md:168
中危 外部 URL
https://api.figma.com/v1/oauth/token scripts/bootstrap-token.mjs:32
中危 外部 URL
https://figma.com/mcp scripts/figma-mcp.mjs:179
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| none | N/A | none | 否 | No npm dependencies — pure Node.js built-ins (fs, os, path, fetch) |
文件构成
9 个文件 · 961 行
Markdown 4 个文件 · 491 行JavaScript 4 个文件 · 451 行JSON 1 个文件 · 19 行
需关注文件 · 7
scripts/bootstrap-token.mjs https://api.figma.com/v1/oauth/token
scripts/token-scanner.mjs Undeclared scanning of Claude Code credential store · Undeclared scanning of Codex and Windsurf credential stores · Overly broad key iteration in Claude Code credential parsing
SKILL.md SKILL.md declares only env and node requirements, omits all file and network access · Token bootstrap script and --refresh flag not documented in SKILL.md
README.md https://help.figma.com/hc/en-us/articles/32132100833559 · https://img.shields.io/badge/License-MIT-green.svg · https://img.shields.io/badge/version-v0.1.1-blue.svg · https://clawhub.ai · https://img.shields.io/badge/ClawHub-skill-purple.svg · https://mcp.figma.com/mcp · https://nodejs.org · https://developers.figma.com/docs/figma-mcp-server/write-to-canvas/
scripts/figma-mcp.mjs https://figma.com/mcp
CHANGELOG.md https://keepachangelog.com/ · https://semver.org/
package.json 其他文件 · figma-api.md · figma-mcp-cli.mjs
安全亮点
Zero npm dependencies in package.json — eliminates supply-chain attack surface entirely
No base64 encoding, eval(), or obfuscated code patterns anywhere in the codebase
Tokens are written only to the local openclaw.json config, not exfiltrated to external servers
Token refresh targets the official Figma OAuth endpoint (api.figma.com), not an attacker-controlled server
Claude Code token scan includes a Figma-scope filter (key.includes('figma')) limiting data exposure
No reverse shell, C2 communication, or data theft chains identified
Code is modular with clear separation: token-scanner.mjs (file I/O), bootstrap-token.mjs (network + config), figma-mcp.mjs (MCP client)