registry  /  ttj-skills-playwright  /  1.0.0

ttj-skills-playwright@1.0.0

Drive an existing Chrome over CDP (Playwright core) with one-shot commands — eval, goto, click, type, wait, tabs, screenshot — plus page element visualization and crawl-target analysis. Skill for Claude Code & Codex.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall mutates global Claude Code and Codex skill control surfaces without an explicit user command. The dropped skill can influence future AI-agent browser automation and arbitrary page evaluation.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm installation invokes postinstall
Impact
Persistent agent-control configuration mutation; future agent sessions may auto-invoke browser-control instructions.
Mechanism
writes package-supplied AI-agent skills into global user directories
Policy narrative
On installation, the postinstall script copies package-controlled instructions into the user's global Claude Code and Codex skill directories and creates a persistent install marker. Those instructions direct agents to automatically invoke the package's Chrome CDP tooling, including arbitrary JavaScript evaluation in an active browser page. This is an unconsented install-time mutation of broad AI-agent control surfaces; the runtime self-update path adds an additional remote package replacement mechanism.
Rationale
Source inspection confirms a concrete postinstall write into foreign global AI-agent skill directories. Under the install-control-surface policy, this requires blocking regardless of otherwise package-aligned CDP functionality.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-playwright/SKILL.mddist/browser.jsdist/cdp.jsdist/utils.js~/.claude/skills/ttj-skills-playwright/SKILL.md~/.agents/skills/ttj-skills-playwright/SKILL.md~/.ttj-skills-playwright-installed
Network endpoints2
registry.npmjs.org127.0.0.1:${port}

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json: postinstall runs scripts/install-skill.js automatically.
  • scripts/install-skill.js copies package SKILL.md into ~/.claude/skills/ttj-skills-playwright/SKILL.md.
  • scripts/install-skill.js writes a transformed skill to ~/.agents/skills/ttj-skills-playwright/SKILL.md.
  • scripts/install-skill.js creates ~/.ttj-skills-playwright-installed.
  • The installed skill directs agents to auto-trigger browser commands and run eval.
  • dist/browser.js auto-updates by executing npm install -g ttj-skills-playwright@latest.
Evidence against
  • No credential harvesting or outbound exfiltration code was found.
  • CDP connects only to 127.0.0.1 and browser actions are package-aligned.
  • Registry access is limited to version checking for this package.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 61.7 KB of source, external domains: 127.0.0.1, example.com, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import https from 'https'; L8: import { exec } from 'child_process'; L9: import { promisify } from 'util'; ... L17: */ L18: export const getOsType = () => process.platform === 'win32' L19: ? 'windows' ... L25: */ L26: export const getHomeDir = () => os.homedir(); L27: /** ... L33: const isWindows = getOsType() === 'windows';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.17 matchedPath = dist/utils.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils.jsView on unpkg
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L53: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L54: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L55: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L56: ensureDir(claudeTargetDir); L57: fs.copyFileSync(sourceFile, claudeTargetFile); L58: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L72: L73: ### eval — run JS in the active tab (result printed as JSON to stdout) L74: ```bash ... L82: ```bash L83: ttj-sk[redacted] goto https://example.com L84: ttj-sk[redacted] goto example.com # https:// auto-prefixed
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.17 matchedPath = dist/browser.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/browser.jsView on unpkg
dist/cli.jsView file
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.17 matchedPath = dist/cli.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.17 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg

Findings

1 Critical5 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighKnown Malware Source Similaritydist/utils.js
HighKnown Malware Source Similaritydist/browser.js
HighKnown Malware Source Similaritydist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings