registry  /  ttj-skills-playwright  /  1.4.9

ttj-skills-playwright@1.4.9

Drive an existing Chrome over CDP (Playwright core) with one-shot commands — eval, goto, click, type, wait, tabs, screenshot — plus page element visualization and crawl-target analysis. Skill for Claude Code & Codex.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package mutates global Claude Code and Codex skill directories without an explicit setup command. The dropped skill is auto-invocable and grants an agent broad local tools.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install executes the postinstall lifecycle hook.
Impact
Unconsented modification of broad AI-agent control surfaces can cause future agent sessions to auto-load and invoke package instructions with Bash, Read, and Write access.
Mechanism
postinstall global AI-agent skill installation
Policy narrative
On npm installation, the package automatically copies its agent instruction file into the user's global Claude Code and Codex skill directories, then writes an installation marker. The dropped skill is model-invocable, has broad keyword activation, and declares Bash, Read, and Write tools. This is an unconsented postinstall mutation of foreign, broad AI-agent control surfaces; it can affect future agent behavior independently of a user explicitly running the package CLI.
Rationale
Source inspection confirms concrete postinstall global AI-agent control-surface writes. This meets the firewall block boundary even though no credential exfiltration was found.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-playwright/SKILL.mddist/browser.js~/.claude/skills/ttj-skills-playwright/SKILL.md~/.agents/skills/ttj-skills-playwright/SKILL.md~/.ttj-skills-playwright-installed
Network endpoints1
registry.npmjs.org/ttj-skills-playwright/latest

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/install-skill.js` in `postinstall`.
  • `scripts/install-skill.js` writes package-supplied `SKILL.md` into `~/.claude/skills/ttj-skills-playwright` and `~/.agents/skills/ttj-skills-playwright`.
  • The installed skill enables model invocation, broad auto-invoke keywords, and `Bash, Read, Write` tools.
  • The postinstall also creates `~/.ttj-skills-playwright-installed` without a user command.
  • `dist/browser.js` contains runtime self-update logic that invokes global npm installation.
Evidence against
  • No credential harvesting or outbound exfiltration was found in inspected source.
  • CDP browser control and page evaluation are exposed as explicit CLI functionality.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 79.5 KB of source, external domains: 127.0.0.1, example.com, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import http from 'http'; L8: import https from 'https'; L9: import { exec } from 'child_process'; L10: import { promisify } from 'util'; ... L18: */ L19: export const getOsType = () => process.platform === 'win32' L20: ? 'windows' ... L26: */ L27: export const getHomeDir = () => os.homedir(); L28: /**
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L53: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L54: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L55: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L56: ensureDir(claudeTargetDir); L57: fs.copyFileSync(sourceFile, claudeTargetFile); L58: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L40: L41: When the skill is activated, always start with the bare command `ttj-sk[redacted]` (no subcommand). It checks the dedicated ttj profile browser on CDP port 9227 (probing the p... L42: ... L135: ```bash L136: ttj-sk[redacted] goto https://example.com L137: ttj-sk[redacted] goto example.com # https:// auto-prefixed
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.4.6 matchedIdentity = npm:dHRqLXNraWxscy1wbGF5d3JpZ2h0:1.4.6 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings