AI Security Review
scanned 4d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior was found. The main residual risk is explicit `figma-claw setup` installing a first-party bundled skill into Codex/Claude skill directories.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs figma-claw setup, login, export, screenshot, session, or control commands
Impact
Can write exported artifacts, screenshots, storage state, session metadata, and bundled skill files when invoked by the user; no confirmed malicious exfiltration path.
Mechanism
CLI-driven Playwright/Figma automation and first-party agent skill installation
Rationale
Because the package explicitly mutates Codex/Claude skill directories only via `figma-claw setup`, this fits first-party agent extension lifecycle risk rather than malware. Source inspection found no unconsented install hook, secret harvesting, stealth persistence, or remote code execution chain.
Evidence
package.jsondist/cli.jsREADME.mdskills/figma-implement-ui/SKILL.md~/.codex/skills~/.claude/skills~/.playwright/figma-claw/figma-storage-state.json.artifacts/figma.artifacts/playwright-screenshots
Network endpoints4
www.figma.com/loginwww.figma.com/design/FILE_KEY/Example127.0.0.1:3000placehold.co
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- dist/cli.js setup command copies bundled skills into ~/.codex/skills and ~/.claude/skills
- dist/cli.js setup may spawn `pnpm exec playwright install chromium` when Chromium is missing
- dist/cli.js login accepts --email/--password and saves Playwright storage state by explicit user command
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks
- Network/browser activity is CLI-invoked and aligned with Figma/Playwright workflow
- No static evidence of credential exfiltration or remote payload execution
- Agent skill content is Figma UI implementation guidance, not prompt hijacking or secret harvesting
- Child process use is limited to documented setup/install and session CLI behavior
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
1#!/usr/bin/env node
L2: import{createRequire as e}from"node:module";import{existsSync as t,realpathSync as n}from"node:fs";import r,{resolve as i}from"node:path";import{fileURLToPath as a}from"node:url";i...
L3: `)}displayWidth(e){return r(e).length}styleTitle(e){return e}styleUsage(e){return e.split(` `).map(e=>e===`[options]`?this.styleOptionText(e):e===`[command]`?this.styleSubcommandTe...
High
1#!/usr/bin/env node
L2: import{createRequire as e}from"node:module";import{existsSync as t,realpathSync as n}from"node:fs";import r,{resolve as i}from"node:path";import{fileURLToPath as a}from"node:url";i...
L3: `)}displayWidth(e){return r(e).length}styleTitle(e){return e}styleUsage(e){return e.split(` `).map(e=>e===`[options]`?this.styleOptionText(e):e===`[command]`?this.styleSubcommandTe...
...
L10: - too many long flags`):Error(`${n}
L11: - unrecognised flag format`)}if(t===void 0&&n===void 0)throw Error(`option creation failed due to no flags found in '${e}'.`);return{shortFlag:t,longFlag:n}}e.Option=n,e.DualOption...
L12: - specify the name in Command constructor or using .name()`);return t||={},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComman...
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L1Findings
2 High2 Medium5 Low
HighChild Processdist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License