registry  /  ttj-skills-playwright  /  1.4.12

ttj-skills-playwright@1.4.12

Drive an existing Chrome over CDP (Playwright core) with one-shot commands — eval, goto, click, type, wait, tabs, screenshot — plus page element visualization and crawl-target analysis. Skill for Claude Code & Codex.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installation automatically creates globally discoverable Claude Code and Codex skill files. CLI startup silently checks npm and may launch a detached global package update.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
`npm install` runs postinstall; invoking the CLI triggers the daily update path.
Impact
Creates persistent agent instructions and can replace the global package from npm without an explicit per-update confirmation.
Mechanism
Global agent-skill installation plus detached self-update and user-directed CDP browser control.
Rationale
Source inspection confirms first-party global agent-skill setup and silent detached self-update, which warrant a warning under the lifecycle policy. No concrete malicious chain was found.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-playwright/SKILL.mddist/browser.jsdist/cdp.jsdist/utils.js~/.claude/skills/ttj-skills-playwright/SKILL.md~/.agents/skills/ttj-skills-playwright/SKILL.md~/.ttj-skills-playwright-installed~/.ttj-skills-playwright/.last-update-check
Network endpoints2
registry.npmjs.org/ttj-skills-playwright/latest127.0.0.1:<CDP-port>

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` automatically.
  • `scripts/install-skill.js` writes global Claude/Codex skill files under `~/.claude` and `~/.agents`.
  • `.claude/skills/ttj-skills-playwright/SKILL.md` enables agent invocation with Bash, Read, and Write tools.
  • `dist/browser.js` performs a detached global `npm install -g ...@latest` after registry checks.
  • `dist/cdp.js` accepts user-supplied JavaScript for execution in a browser CDP target.
Evidence against
  • Install script copies only this package's named skill and does not alter existing agent settings.
  • Registry traffic is limited to `https://registry.npmjs.org/ttj-skills-playwright/latest` for version checks.
  • No source evidence of credential harvesting, remote exfiltration, obfuscated payloads, or destructive filesystem behavior.
  • Chrome/CDP control and page evaluation are documented CLI capabilities activated by user commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 127 KB of source, external domains: 127.0.0.1, example.com, registry.npmjs.org, site.com, www.google.com, www.naver.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import http from 'http'; L8: import https from 'https'; L9: import { exec } from 'child_process'; L10: import { promisify } from 'util'; ... L18: */ L19: export const getOsType = () => process.platform === 'win32' L20: ? 'windows' ... L26: */ L27: export const getHomeDir = () => os.homedir(); L28: /**
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.4.10 matchedPath = dist/utils.js matchedIdentity = npm:dHRqLXNraWxscy1wbGF5d3JpZ2h0:1.4.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils.jsView on unpkg
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L53: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L54: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L55: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L56: ensureDir(claudeTargetDir); L57: fs.copyFileSync(sourceFile, claudeTargetFile); L58: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L40: L41: When the skill is activated, always start with the bare command `ttj-sk[redacted]` (no subcommand). It checks the dedicated ttj profile browser on CDP port 9227 (probing the p... L42: ... L111: ttj-sk[redacted] batch '[ L112: {"cmd":"goto","url":"https://site.com/login"}, L113: {"cmd":"snapshot"},
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.4.10 matchedPath = dist/browser.js matchedIdentity = npm:dHRqLXNraWxscy1wbGF5d3JpZ2h0:1.4.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/browser.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.4.6 matchedIdentity = npm:dHRqLXNraWxscy1wbGF5d3JpZ2h0:1.4.6 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/browser.jsView on unpkg

Findings

1 Critical5 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighKnown Malware Source Similaritydist/utils.js
HighKnown Malware Source Similaritydist/browser.js
HighPrevious Version Dangerous Deltadist/browser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings