← 返回 Skills 市场
Zeplin to Prompt
作者
sullivangu89
· GitHub ↗
· v1.0.1
· MIT-0
245
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zeplin-to-prompt
功能描述
Export one or more Zeplin screen URLs into a structured layer tree with local assets and package the result as a zip file. Use when a user shares an app.zepl...
安全使用建议
This skill mostly does what it claims, but be cautious about how you supply and store Zeplin personal access tokens: the skill's workflow looks up and saves tokens in ~/.zeplin-skill-config.json and the helper node one-liners print tokens to stdout (which your agent may capture). That can expose tokens in chat logs or command output. Before installing or running: 1) Prefer providing tokens via your platform's secure secret storage (not by pasting into chat). 2) If you must paste a token, do not include it in messages that will be displayed or logged; consider setting ZEPLIN_TOKEN only in the runtime environment. 3) Review the node one-liners in SKILL.md — they read/write ~/.zeplin-skill-config.json; if you don't want tokens stored on disk, do not confirm saving them. 4) Run 'npm install' in the skill directory (README instructs this) before using the scripts. 5) Consider auditing or running the scripts in an isolated environment because they write files to your home and create build artifacts. If you are uncomfortable with tokens being stored in a plain file or printed to stdout, do not install/use this skill until its token handling is changed to use secure storage or avoids printing tokens.
功能分析
Type: OpenClaw Skill
Name: zeplin-to-prompt
Version: 1.0.1
The skill is designed to export Zeplin design screens into a structured JSON/HTML format for use in AI prompts. It manages Zeplin Personal Access Tokens by storing them in a local configuration file (`~/.zeplin-skill-config.json`) with appropriate file permissions (0o600). The implementation uses Node.js and Bash to process design data, download assets from official Zeplin APIs, and package the results into a ZIP file. While it utilizes shell commands for file operations and opening the final report, it employs a robust filename sanitization utility in `lib/fsHelpers.mjs` to mitigate command injection risks. No evidence of data exfiltration, unauthorized remote access, or malicious intent was found.
能力评估
Purpose & Capability
The code and instructions are consistent with the stated purpose: they call the Zeplin API (via @zeplin/sdk), download assets, build a layer tree and HTML preview, and produce zip packages. Requiring project-level Zeplin tokens and writing export artifacts to a build directory is proportionate to exporting Zeplin screens.
Instruction Scope
The SKILL.md instructs the agent to read and write a user file at ~/.zeplin-skill-config.json to look up and store project tokens. The provided inline node one-liners read that file and (on success) print a token to stdout; the skill then uses that token to run export_screen.mjs. Printing tokens to stdout combined with the agent capturing command output creates an exposure risk. The SKILL.md also asks the user to paste personal access tokens into the conversation if a token is missing, which is risky if the chat transcript or command output is stored or visible. The instructions also reference running node scripts that depend on npm packages; the main SKILL.md doesn't explicitly require 'npm install' (only README does), which is a runtime mismatch that could cause failures if dependencies are not present.
Install Mechanism
There is no formal install spec (instruction-only at registry level), but the package includes package.json/package-lock.json and depends on @zeplin/sdk and dotenv. The README recommends running 'npm install' before first use. Because no automated install step is declared, the agent/runtime may attempt to run Node scripts without dependencies, leading to failures. The code and deps are sourced from npm (no suspicious external download URLs).
Credentials
The skill requires Zeplin personal access tokens per project and uses ZEPLIN_TOKEN/zeplin_token environment variables at runtime — appropriate for accessing Zeplin. However, the token storage approach (storing projectId->token in a plaintext JSON file in the user's home) and the inline node code that prints tokens to stdout are not using platform secret storage and could leak secrets. No unrelated credentials or external service tokens are requested.
Persistence & Privilege
The skill writes files into its own build/** directories and creates ~/.zeplin-skill-config.json in the user's home to persist tokens. It does not request 'always: true' and does not modify other skills. Writing to the user's home is within scope for storing tokens but is a privileged action that users should be aware of.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zeplin-to-prompt - 安装完成后,直接呼叫该 Skill 的名称或使用
/zeplin-to-prompt触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Improves handling of Zeplin screen links: extracts valid screen URLs and prompts users for correct links if needed.
- Adds per-project token management, including automated token lookup, masked prompts for missing tokens, and secure storage.
- Supports exporting multiple Zeplin screens in one command and packages local assets and metadata into a zip file.
- Replies with clear export status and usage instructions, including a summary of successes and failures.
- Includes real-time progress updates when exporting multiple screens.
元数据
常见问题
Zeplin to Prompt 是什么?
Export one or more Zeplin screen URLs into a structured layer tree with local assets and package the result as a zip file. Use when a user shares an app.zepl... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 245 次。
如何安装 Zeplin to Prompt?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zeplin-to-prompt」即可一键安装,无需额外配置。
Zeplin to Prompt 是免费的吗?
是的,Zeplin to Prompt 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Zeplin to Prompt 支持哪些平台?
Zeplin to Prompt 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zeplin to Prompt?
由 sullivangu89(@sullivangu)开发并维护,当前版本 v1.0.1。
推荐 Skills