registry  /  figma-claw  /  2.0.2

figma-claw@2.0.2

CLI tooling for Figma workflows.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior was found. The main residual risk is explicit `figma-claw setup` installing a first-party bundled skill into Codex/Claude skill directories.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs figma-claw setup, login, export, screenshot, session, or control commands
Impact
Can write exported artifacts, screenshots, storage state, session metadata, and bundled skill files when invoked by the user; no confirmed malicious exfiltration path.
Mechanism
CLI-driven Playwright/Figma automation and first-party agent skill installation
Rationale
Because the package explicitly mutates Codex/Claude skill directories only via `figma-claw setup`, this fits first-party agent extension lifecycle risk rather than malware. Source inspection found no unconsented install hook, secret harvesting, stealth persistence, or remote code execution chain.
Evidence
package.jsondist/cli.jsREADME.mdskills/figma-implement-ui/SKILL.md~/.codex/skills~/.claude/skills~/.playwright/figma-claw/figma-storage-state.json.artifacts/figma.artifacts/playwright-screenshots
Network endpoints4
www.figma.com/loginwww.figma.com/design/FILE_KEY/Example127.0.0.1:3000placehold.co

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • dist/cli.js setup command copies bundled skills into ~/.codex/skills and ~/.claude/skills
  • dist/cli.js setup may spawn `pnpm exec playwright install chromium` when Chromium is missing
  • dist/cli.js login accepts --email/--password and saves Playwright storage state by explicit user command
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • Network/browser activity is CLI-invoked and aligned with Figma/Playwright workflow
  • No static evidence of credential exfiltration or remote payload execution
  • Agent skill content is Figma UI implementation guidance, not prompt hijacking or secret harvesting
  • Child process use is limited to documented setup/install and session CLI behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 498 KB of source, external domains: 127.0.0.1, github.com, goo.gl, placehold.co, www.figma.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
1#!/usr/bin/env node L2: import{createRequire as e}from"node:module";import{existsSync as t,realpathSync as n}from"node:fs";import r,{resolve as i}from"node:path";import{fileURLToPath as a}from"node:url";i... L3: `)}displayWidth(e){return r(e).length}styleTitle(e){return e}styleUsage(e){return e.split(` `).map(e=>e===`[options]`?this.styleOptionText(e):e===`[command]`?this.styleSubcommandTe...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{createRequire as e}from"node:module";import{existsSync as t,realpathSync as n}from"node:fs";import r,{resolve as i}from"node:path";import{fileURLToPath as a}from"node:url";i... L3: `)}displayWidth(e){return r(e).length}styleTitle(e){return e}styleUsage(e){return e.split(` `).map(e=>e===`[options]`?this.styleOptionText(e):e===`[command]`?this.styleSubcommandTe... ... L10: - too many long flags`):Error(`${n} L11: - unrecognised flag format`)}if(t===void 0&&n===void 0)throw Error(`option creation failed due to no flags found in '${e}'.`);return{shortFlag:t,longFlag:n}}e.Option=n,e.DualOption... L12: - specify the name in Command constructor or using .name()`);return t||={},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComman...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1

Findings

2 High2 Medium5 Low
HighChild Processdist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License