registry  /  ttj-skills-playwright  /  1.4.2

ttj-skills-playwright@1.4.2

Drive an existing Chrome over CDP (Playwright core) with one-shot commands — eval, goto, click, type, wait, tabs, screenshot — plus page element visualization and crawl-target analysis. Skill for Claude Code & Codex.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. An npm postinstall unconditionally mutates global Claude Code and Codex skill directories with package-controlled instructions. The installed skill is auto-invocable and can steer future agent browser actions; CLI startup can then self-update from npm.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; later agent skill activation or CLI startup activates the installed behavior
Impact
Unconsented persistent modification of broad AI-agent control surfaces and future agent-action steering.
Mechanism
Global AI-agent skill injection plus runtime npm self-update
Policy narrative
Installing the package triggers code that persists its bundled instructions in global skill locations for two separate AI-agent environments without an explicit setup command. Those instructions are auto-invocable and prescribe use of this package for browser activity. When its CLI runs, it also queries npm and may execute a global upgrade command, allowing later package versions to replace the installed control path.
Rationale
Direct source inspection confirms an unconsented `postinstall` writes package-supplied, auto-invocable instructions into foreign global AI-agent control surfaces. This meets the blocking boundary despite no observed credential exfiltration.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-playwright/SKILL.mddist/browser.jsdist/utils.jsdist/cdp.js~/.claude/skills/ttj-skills-playwright/SKILL.md~/.agents/skills/ttj-skills-playwright/SKILL.md~/.ttj-skills-playwright-installed~/.ttj-skills-playwright/.last-update-check
Network endpoints2
registry.npmjs.org/ttj-skills-playwright/latest127.0.0.1:<CDP-port>/json/version

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` executes `scripts/install-skill.js` via `postinstall`.
  • `scripts/install-skill.js` copies package-controlled `SKILL.md` into `~/.claude/skills/ttj-skills-playwright/`.
  • The same postinstall writes a Codex skill to `~/.agents/skills/ttj-skills-playwright/` and a home-directory flag.
  • Installed `SKILL.md` enables automatic invocation and directs agents to route browser actions through this package.
  • `dist/browser.js` checks `registry.npmjs.org` and runs `npm install -g ttj-skills-playwright@latest` during CLI startup when newer.
Evidence against
  • No credential-file harvesting or external data-exfiltration path was found.
  • CDP traffic is limited to `127.0.0.1`; registry access is package-update related.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 65.9 KB of source, external domains: 127.0.0.1, example.com, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import http from 'http'; L8: import https from 'https'; L9: import { exec } from 'child_process'; L10: import { promisify } from 'util'; ... L18: */ L19: export const getOsType = () => process.platform === 'win32' L20: ? 'windows' ... L26: */ L27: export const getHomeDir = () => os.homedir(); L28: /**
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L53: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L54: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L55: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L56: ensureDir(claudeTargetDir); L57: fs.copyFileSync(sourceFile, claudeTargetFile); L58: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L40: L41: When the skill is activated, always start with the bare command `ttj-sk[redacted]` (no subcommand). It checks the dedicated ttj profile browser on CDP port 9227 (probing the p... L42: ... L108: ```bash L109: ttj-sk[redacted] goto https://example.com L110: ttj-sk[redacted] goto example.com # https:// auto-prefixed
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.1.0 matchedIdentity = npm:dHRqLXNraWxscy1wbGF5d3JpZ2h0:1.1.0 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/browser.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighPrevious Version Dangerous Deltadist/browser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings