Skill

anima-security-basics

Secures Anima and Figma tokens for design-to-code: checklists for minimal scopes, server-side TypeScript enforcement, GCP secret loading, CI secrets, and gitignore.

Figma

Typescript

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin anima-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGrep

Preview

- [ ] Anima token stored in secret manager (not .env in prod)

SKILL.md

Similar Skills

figma-security-basics

1.9k

Secures Figma API integrations: stores tokens safely, configures least-privilege scopes, rotates credentials, verifies webhook passcodes.

3 tools

figma-pack

anima-prod-checklist

1.9k

Runs production readiness checklist for Anima Figma-to-code pipelines: credentials, code quality, pipeline validation, plus TypeScript script for API access and token safety checks.

5 tools

anima-pack

canva-security-basics

1.9k

Applies Canva Connect API security best practices for OAuth tokens: client secret handling, encrypted storage, revocation, least-privilege scopes, and webhook verification.

3 tools

canva-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Anima Security Basics

Security Checklist

Anima token stored in secret manager (not .env in prod)
Figma PAT has minimum required scope (file:read only)
SDK runs server-side only (never ship tokens to browser)
.env files gitignored and chmod 600
CI secrets stored in GitHub Secrets, not workflow files
Generated code reviewed before committing (no embedded tokens)

Instructions

Step 1: Figma Token Scope Restriction

# When creating a Figma Personal Access Token:
# - Give it the MINIMUM scope needed: File Content (read-only)
# - Do NOT grant write access unless you need Figma plugin features
# - Set an expiration date (90 days recommended)
# - Create separate tokens for dev vs CI environments

Step 2: Server-Side Only Enforcement

// src/anima/safety.ts
// Anima SDK is designed for server-side use only

function validateEnvironment(): void {
  if (typeof window !== 'undefined') {
    throw new Error('Anima SDK must run server-side only — never import in browser code');
  }
  if (!process.env.ANIMA_TOKEN) throw new Error('ANIMA_TOKEN not set');
  if (!process.env.FIGMA_TOKEN) throw new Error('FIGMA_TOKEN not set');
}

// Call this at startup
validateEnvironment();

Step 3: Secret Manager Integration

// src/anima/secrets.ts
async function loadAnimaSecrets(): Promise<{ animaToken: string; figmaToken: string }> {
  const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
  const client = new SecretManagerServiceClient();

  const [animaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/anima-token/versions/latest`,
  });
  const [figmaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/figma-token/versions/latest`,
  });

  return {
    animaToken: animaVersion.payload?.data?.toString() || '',
    figmaToken: figmaVersion.payload?.data?.toString() || '',
  };
}

Output

Figma token with minimal scope (read-only)
Server-side enforcement preventing browser usage
Secrets loaded from cloud secret manager

Resources

Next Steps

For production deployment, see anima-prod-checklist.