Specs 2

Low riskIndependent Review

Turns a selected Figma component into a complete, structured specification (anatomy, props, layout, styling, tokens) generated directly from the file.

Platform
Figma
Category
Development / Design systems
Developer
Directed Edges, LLC (Nathan Curtis)
Pricing
Freemium — $10/month Pro via Polar.sh
Official website
www.figma.com

Review summary

Closed-source plugin. Figma's own listing shows "Restricted network access" limited to two Polar.sh domains, used only for license-key purchase/activation. Live testing confirms it: every spec-generation function ran with zero network calls, and the only server contact was license-key validation. No design data was observed leaving the file.

Privacy overview

What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.

Data accessed
  • Selected component/frame only (structure, variants, props, layout, styles, variables) — read to generate the spec, never sent anywhere
Permissions requested
  • Restricted network access: sandbox-api.polar.sh, api.polar.sh only
External services
  • Polar.sh — license key purchase and validation only
External APIs
  • Polar.sh billing/licensing API
Database connections
None — developer hosts no backend
Authentication
License key, issued and managed through Polar.sh's own customer portal
Cloud storage
  • None observed — plugin's own Terms of Service state all processing happens locally
Analytics
Unknown — not yet reviewed
AI providers
  • None observed (output is meant to be pasted into external LLM tools, but the plugin doesn't call one itself)
Telemetry
Unknown — not yet reviewed
Cookies
Not applicable — runs inside the Figma app, not a web page

Risk assessment

Risk level
Low risk
Why this risk exists
Figma enforces the plugin's manifest allowlist at runtime, so it can only ever reach two Polar.sh domains. Live testing showed spec generation, Copy, Settings, and About all make zero network calls — the only real server contact is license-key validation.
Mitigation
Use the free tier to avoid any network call entirely. Pro subscribers rely on Polar.sh's own account security (MFA, encrypted vaults, breach monitoring).
Confidence
Medium — live network traffic captured across every free-tier function, plus manifest badges, developer disclosure, and the plugin's own Terms of Service reviewed. Not source-reviewed (plugin bundle is closed-source; only its companion CLI is open source), and the license-check request appeared behind a Figma-hosted proxy rather than as a directly visible call to polar.sh.

Review methodology

Tests performed
  • Figma listing and permission-badge inspection
  • Developer disclosure review
  • Plugin's official docs and Terms of Service review
  • Polar.sh privacy/security policy review
  • Live hands-on test of every free-tier function with network traffic capture
Evidence
  • Figma Community listing (verified — "Restricted network access" badge, allowed domains)
  • Plugin Terms of Service, Section 9 (verified — states local-only processing, license key is the sole exception)
  • Live network log from a real Figma test file (verified — zero calls during generation, Copy, Settings, About — real validation call triggered by license activation)
  • Polar.sh privacy policy (inferred — general safeguards, not plugin-specific)
Known limitations
  • Plugin's bundled source code was not reviewed (closed-source)
  • Pro tier not tested (no paid license key)
  • License-check request appeared behind a Figma proxy endpoint, not as a directly visible polar.sh call
  • No standalone privacy policy page found separate from the Terms of Service
Reviewer
AI Agent supervised by a human

Read more about how we review and what Verified, Observed, Inferred and Unknown mean.

Review timeline

  1. Initial review published

Resources