Specs 2
Low riskIndependent Review
Turns a selected Figma component into a complete, structured specification (anatomy, props, layout, styling, tokens) generated directly from the file.
- Platform
- Figma
- Category
- Development / Design systems
- Developer
- Directed Edges, LLC (Nathan Curtis)
- Pricing
- Freemium — $10/month Pro via Polar.sh
- Official website
- www.figma.com
Review summary
Closed-source plugin. Figma's own listing shows "Restricted network access" limited to two Polar.sh domains, used only for license-key purchase/activation. Live testing confirms it: every spec-generation function ran with zero network calls, and the only server contact was license-key validation. No design data was observed leaving the file.
Privacy overview
What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.
- Data accessed
- Selected component/frame only (structure, variants, props, layout, styles, variables) — read to generate the spec, never sent anywhere
- Permissions requested
- Restricted network access: sandbox-api.polar.sh, api.polar.sh only
- External services
- Polar.sh — license key purchase and validation only
- External APIs
- Polar.sh billing/licensing API
- Database connections
- None — developer hosts no backend
- Authentication
- License key, issued and managed through Polar.sh's own customer portal
- Cloud storage
- None observed — plugin's own Terms of Service state all processing happens locally
- Analytics
- Unknown — not yet reviewed
- AI providers
- None observed (output is meant to be pasted into external LLM tools, but the plugin doesn't call one itself)
- Telemetry
- Unknown — not yet reviewed
- Cookies
- Not applicable — runs inside the Figma app, not a web page
Risk assessment
- Risk level
- Low risk
- Why this risk exists
- Figma enforces the plugin's manifest allowlist at runtime, so it can only ever reach two Polar.sh domains. Live testing showed spec generation, Copy, Settings, and About all make zero network calls — the only real server contact is license-key validation.
- Mitigation
- Use the free tier to avoid any network call entirely. Pro subscribers rely on Polar.sh's own account security (MFA, encrypted vaults, breach monitoring).
- Confidence
- Medium — live network traffic captured across every free-tier function, plus manifest badges, developer disclosure, and the plugin's own Terms of Service reviewed. Not source-reviewed (plugin bundle is closed-source; only its companion CLI is open source), and the license-check request appeared behind a Figma-hosted proxy rather than as a directly visible call to polar.sh.
Review methodology
- Tests performed
- Figma listing and permission-badge inspection
- Developer disclosure review
- Plugin's official docs and Terms of Service review
- Polar.sh privacy/security policy review
- Live hands-on test of every free-tier function with network traffic capture
- Evidence
- Figma Community listing (verified — "Restricted network access" badge, allowed domains)
- Plugin Terms of Service, Section 9 (verified — states local-only processing, license key is the sole exception)
- Live network log from a real Figma test file (verified — zero calls during generation, Copy, Settings, About — real validation call triggered by license activation)
- Polar.sh privacy policy (inferred — general safeguards, not plugin-specific)
- Known limitations
- Plugin's bundled source code was not reviewed (closed-source)
- Pro tier not tested (no paid license key)
- License-check request appeared behind a Figma proxy endpoint, not as a directly visible polar.sh call
- No standalone privacy policy page found separate from the Terms of Service
- Reviewer
- AI Agent supervised by a human
Read more about how we review and what Verified, Observed, Inferred and Unknown mean.
Review timeline
- Initial review published