OpenSkillIndex← back to search
claude-code

Skillshub anima-security-basics

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/jeremylongshore/claude-code-plugins-plus-skills/anima-security-basics" ~/.claude/skills/comeonoliver-skillshub-anima-security-basics && rm -rf "$T"
manifest: skills/jeremylongshore/claude-code-plugins-plus-skills/anima-security-basics/SKILL.md
tags
#saas#design#figma#anima#security
source content

Anima Security Basics

Security Checklist

  • Anima token stored in secret manager (not .env in prod)
  • Figma PAT has minimum required scope (file:read only)
  • SDK runs server-side only (never ship tokens to browser)
  • .env
    files gitignored and chmod 600
  • CI secrets stored in GitHub Secrets, not workflow files
  • Generated code reviewed before committing (no embedded tokens)

Instructions

Step 1: Figma Token Scope Restriction

# When creating a Figma Personal Access Token:
# - Give it the MINIMUM scope needed: File Content (read-only)
# - Do NOT grant write access unless you need Figma plugin features
# - Set an expiration date (90 days recommended)
# - Create separate tokens for dev vs CI environments

Step 2: Server-Side Only Enforcement

// src/anima/safety.ts
// Anima SDK is designed for server-side use only

function validateEnvironment(): void {
  if (typeof window !== 'undefined') {
    throw new Error('Anima SDK must run server-side only — never import in browser code');
  }
  if (!process.env.ANIMA_TOKEN) throw new Error('ANIMA_TOKEN not set');
  if (!process.env.FIGMA_TOKEN) throw new Error('FIGMA_TOKEN not set');
}

// Call this at startup
validateEnvironment();

Step 3: Secret Manager Integration

// src/anima/secrets.ts
async function loadAnimaSecrets(): Promise<{ animaToken: string; figmaToken: string }> {
  const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
  const client = new SecretManagerServiceClient();

  const [animaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/anima-token/versions/latest`,
  });
  const [figmaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/figma-token/versions/latest`,
  });

  return {
    animaToken: animaVersion.payload?.data?.toString() || '',
    figmaToken: figmaVersion.payload?.data?.toString() || '',
  };
}

Output

  • Figma token with minimal scope (read-only)
  • Server-side enforcement preventing browser usage
  • Secrets loaded from cloud secret manager

Resources

Next Steps

For production deployment, see 

anima-prod-checklist
.