Stats
Actions
Tags
From anima-pack
Secures Anima and Figma tokens for design-to-code: checklists for minimal scopes, server-side TypeScript enforcement, GCP secret loading, CI secrets, and gitignore.
How this skill is triggered — by the user, by Claude, or both
Slash command
/anima-pack:anima-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
- [ ] Anima token stored in secret manager (not .env in prod)
.env files gitignored and chmod 600# When creating a Figma Personal Access Token:
# - Give it the MINIMUM scope needed: File Content (read-only)
# - Do NOT grant write access unless you need Figma plugin features
# - Set an expiration date (90 days recommended)
# - Create separate tokens for dev vs CI environments
// src/anima/safety.ts
// Anima SDK is designed for server-side use only
function validateEnvironment(): void {
if (typeof window !== 'undefined') {
throw new Error('Anima SDK must run server-side only — never import in browser code');
}
if (!process.env.ANIMA_TOKEN) throw new Error('ANIMA_TOKEN not set');
if (!process.env.FIGMA_TOKEN) throw new Error('FIGMA_TOKEN not set');
}
// Call this at startup
validateEnvironment();
// src/anima/secrets.ts
async function loadAnimaSecrets(): Promise<{ animaToken: string; figmaToken: string }> {
const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient();
const [animaVersion] = await client.accessSecretVersion({
name: `projects/${process.env.GCP_PROJECT}/secrets/anima-token/versions/latest`,
});
const [figmaVersion] = await client.accessSecretVersion({
name: `projects/${process.env.GCP_PROJECT}/secrets/figma-token/versions/latest`,
});
return {
animaToken: animaVersion.payload?.data?.toString() || '',
figmaToken: figmaVersion.payload?.data?.toString() || '',
};
}
For production deployment, see anima-prod-checklist.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin anima-packSecures Figma API integrations: stores tokens safely, configures least-privilege scopes, rotates credentials, verifies webhook passcodes.
Runs production readiness checklist for Anima Figma-to-code pipelines: credentials, code quality, pipeline validation, plus TypeScript script for API access and token safety checks.
Applies Canva Connect API security best practices for OAuth tokens: client secret handling, encrypted storage, revocation, least-privilege scopes, and webhook verification.