registry  /  openspec-playwright  /  0.3.57

openspec-playwright@0.3.57

OpenSpec + Playwright E2E verification setup tool for Claude Code

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `openspec-pw init` or `openspec-pw update` in a project.
Impact
Adds project command/rule files and may register `npx @playwright/mcp@latest`; update may install and re-run the CLI.
Mechanism
User-invoked editor-rule/MCP setup plus npm self-update.
Rationale
Source inspection confirms explicit-user-command AI-editor configuration and self-update behavior, but no lifecycle-triggered mutation, data theft, hidden payload, or exfiltration. Treat the capability as a warning rather than malware.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/commands/update.jsdist/commands/editors.jsdist/shared/mcp.jsdist/shared/version-check.jsdist/commands/audit.jsAGENTS.mdCLAUDE.md.claude/commands/opsx/e2e.md.opencode/commands/opsx-e2e.mdopencode.jsonopencode.jsonc~/.openspec-pw-version.json
Network endpoints1
localhost:3000/sitemap.xml

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `init`/`update` can configure Playwright MCP via `npx @playwright/mcp@latest`.
  • `dist/commands/editors.js` writes project `AGENTS.md`, `CLAUDE.md`, editor commands, and OpenCode settings.
  • `update` explicitly installs the package globally/locally and re-executes its CLI.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/index.js` exposes mutations only behind explicit CLI subcommands.
  • MCP/config changes are scoped to the current project and use OpenSpec marker blocks.
  • No credential harvesting, remote payload loading, eval/vm use, or unrelated exfiltration found.
  • Network use is version checking and user-project diagnostics, not a hidden endpoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 158 KB of source

Source & flagged code

4 flagged · loading source
dist/shared/version-check.jsView file
12import { homedir } from "os"; L13: import { execFile } from "node:child_process"; L14: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/shared/version-check.jsView on unpkg · L12
dist/commands/update.jsView file
92mkdirSync(tmpDir, { recursive: true }); L93: // execFile with args array is safe with shell: true — Node quotes L94: // each argument, so paths with spaces (OneDrive, CJK user names)
High
Shell

Package source references shell execution.

dist/commands/update.jsView on unpkg · L92
dist/commands/coverage.jsView file
278try { L279: const result = execFileSync("npx", ["openspec", "list", "--json"], { L280: shell: needsShell,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/coverage.jsView on unpkg · L278
dist/commands/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openspec-playwright@0.3.56 matchedIdentity = npm:b3BlbnNwZWMtcGxheXdyaWdodA:0.3.56 similarity = 0.960 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/doctor.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/doctor.js
HighChild Processdist/shared/version-check.js
HighShelldist/commands/update.js
HighRuntime Package Installdist/commands/coverage.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings