Specs (Classic)

Low riskIndependent Review

Automatically generates page and component design specs — anatomy, properties, and layout annotations — for selected frames, instances, and components in Figma.

Platform
Figma
Category
Design systems / documentation
Developer
Nathan Curtis — Directed Edges LLC
Pricing
Freemium (premium tier deprecated — closed to new subscribers; billing was via Figma Payments)
Official website
www.figma.com

Review summary

Manifest declares no network access, and running the plugin confirmed it: across load, no-selection, and full spec-generation, every network request went only to Figma's own servers — nothing to the developer or any third party. The plugin reads your selected layers, builds the spec on the canvas, and saves its settings locally in the file. No sign-in, no backend, no tracking.

Privacy overview

What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.

Data accessed
  • Selected frames, instances, and components only (names, sizes, properties, styles) to build the spec
Permissions requested
  • Current page read/write
  • Selection access
  • Network access: none — "The plugin cannot access any domains"
External services
  • None observed
External APIs
  • None observed
Database connections
None — settings saved locally in the file via Figma's own plugin-data storage
Authentication
None
Cloud storage
  • None observed
Analytics
  • None observed
AI providers
  • None observed
Telemetry
None observed from the plugin
Cookies
Not applicable — runs inside the Figma app, not a web page

Risk assessment

Risk level
Low risk
Why this risk exists
The plugin reads and writes layers on the current page and saves its settings locally in the file. Network access is explicitly disabled in its manifest, so there is no observed way for your document to leave your machine.
Mitigation
None needed — safe for use on any file, including confidential ones. Note the plugin is deprecated; if you move to "Specs 2" (a separate plugin), re-check its network access.
Confidence
Medium — manifest network declaration verified and live network traffic captured while running the plugin; the raw source code was not read line-by-line.

Review methodology

Tests performed
  • Manifest / permission inspection (network-access badge)
  • Live network capture across 3 runs: load, no selection, full spec generation
  • Third-party host check (developer domains, analytics, cloud, AI endpoints)
  • Manual click-through — generated a real spec end to end
  • Developer data-security self-assessment reviewed
Evidence
  • Manifest network declaration (verified — "cannot access any domains")
  • Network capture (verified — only Figma-owned hosts, zero developer or third-party hosts)
  • Functional run (observed — spec generated locally with no network activity)
  • Developer self-assessment (inferred — self-declared survey)
Known limitations
  • Raw source code / manifest.json not read line-by-line — no-network relies on Figma's platform enforcement
  • Single session, single version
  • Premium subscription flow not exercised (deprecated)
Reviewer
AI Agent supervised by a human

Read more about how we review and what Verified, Observed, Inferred and Unknown mean.

Review timeline

  1. Initial review published

Resources