registry  /  openspec-playwright  /  0.3.51

openspec-playwright@0.3.51

OpenSpec + Playwright E2E verification setup tool for Claude Code

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a CLI that explicitly installs OpenSpec/Playwright E2E support into Claude Code or OpenCode projects. It mutates agent/editor command and MCP configuration only when user commands such as init/update/uninstall are run.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `openspec-pw init`, `openspec-pw update`, or `openspec-pw uninstall`.
Impact
Adds/removes Playwright MCP config, slash commands, project rules, test templates, and optional update artifacts in the user's project; no unconsented install-time hijack or exfiltration confirmed.
Mechanism
explicit agent/editor extension setup and package-manager based update/sync
Rationale
Source inspection shows explicit user-command agent/editor setup and npm-based update/version-check behavior, but no install-time execution, stealth persistence, credential collection, or exfiltration. Per policy this warrants a warning for agent extension lifecycle risk rather than a publish block.
Evidence
package.jsonbin/openspec-pw.jsdist/index.jsdist/commands/init.jsdist/commands/update.jsdist/commands/editors.jsdist/shared/mcp.jsdist/shared/version-check.jsdist/commands/mcpSync.jsdist/utils/mcp-tools.jsdist/commands/uninstall.js.claude/commands/opsx/e2e.md.opencode/commands/opsx-e2e.mdAGENTS.mdCLAUDE.mdopencode.jsoncopencode.jsontests/playwright/seed.spec.tstests/playwright/auth.setup.tstests/playwright/credentials.yamltests/playwright/pages/BasePage.tsplaywright.config.ts.github/workflows/openspec-pw.yml~/.openspec-pw-version.json
Network endpoints1
opencode.ai/config.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js writes editor commands, Playwright templates, credentials.yaml, AGENTS.md/CLAUDE.md during explicit init.
  • dist/commands/editors.js can run `claude mcp add/remove` and edit opencode.json(c) MCP/instructions.
  • dist/shared/mcp.js installs `playwright` MCP command `npx @playwright/mcp@latest`.
  • dist/commands/update.js can run npm install/pack and refresh commands/templates/rules on explicit update.
  • dist/commands/mcpSync.js and dist/utils/mcp-tools.js fetch @playwright/mcp metadata/tarballs and rewrite SKILL.md tool tables.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build.
  • bin/openspec-pw.js only restores caller cwd then imports CLI dispatcher.
  • Agent/editor config mutation is tied to user-invoked init/update/uninstall commands, not install-time execution.
  • Network/package-manager use is package-aligned: version checks, self-update, OpenSpec/Playwright MCP setup.
  • No credential harvesting or exfiltration found; env vars are used for test credentials/base URL templates.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 178 KB of source

Source & flagged code

4 flagged · loading source
dist/utils/mcp-tools.jsView file
5*/ L6: import { execSync } from 'child_process'; L7: import { existsSync, readFileSync, writeFileSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/utils/mcp-tools.jsView on unpkg · L5
dist/commands/mcpSync.jsView file
74} L75: const execAsync = promisify(exec); L76: /** Extract a .tgz tarball to a destination directory (cross-platform) */
High
Shell

Package source references shell execution.

dist/commands/mcpSync.jsView on unpkg · L74
dist/commands/coverage.jsView file
278try { L279: const result = execFileSync("npx", ["openspec", "list", "--json"], { L280: shell: needsShell,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/coverage.jsView on unpkg · L278
dist/commands/editors.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openspec-playwright@0.3.50 matchedIdentity = npm:b3BlbnNwZWMtcGxheXdyaWdodA:0.3.50 similarity = 0.964 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/editors.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/editors.js
HighChild Processdist/utils/mcp-tools.js
HighShelldist/commands/mcpSync.js
HighRuntime Package Installdist/commands/coverage.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings