Website Usability Testing using Nova Act
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned, but it drives a browser through Amazon Nova Act and stores detailed local traces, so users should use it only on appropriate test sites and handle logs carefully.
Before installing, be comfortable with the skill using your Nova Act API key, installing browser-automation dependencies, visiting the target website through Nova Act, and saving detailed local traces. Prefer test environments, avoid real payment/account/posting actions, and clean up generated logs and reports if they contain sensitive data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may interact with live websites and forms during tests, so a poorly chosen target or task could get close to purchases, bookings, signups, or publishing flows.
The skill is intended to automate real website workflows that can approach material-impact steps such as checkout. The artifact also documents a stop-before-payment guardrail, making this purpose-aligned but important for users to notice.
**E-Commerce:** - Product search → Add to cart → Checkout → **STOP before payment**
Use test or non-production environments where possible, keep the documented stop-before-final-action rule, and review any workflow involving payments, accounts, messages, or public posts.
Installing and using the skill requires granting it access to the Nova Act API key stored in the OpenClaw config file.
The code reads the local Nova Act API key and places it in the environment for the Nova Act SDK. This is expected for the integration and is disclosed in the documentation.
config = load_config() os.environ['NOVA_ACT_API_KEY'] = config['apiKey']
Use a dedicated Nova Act key if possible, store it only in the documented config path, and rotate it if logs or the environment are exposed.
Future package versions or compromised package sources could affect what code runs in the local environment.
The setup instructions install external packages without pinned versions. This is purpose-aligned for Nova Act browser testing, but it leaves package version/provenance decisions to the user environment.
pip3 install nova-act pydantic playwright
Install from trusted package sources, consider pinning versions in a controlled environment, and avoid running the skill in a privileged shell.
Local reports and trace files may retain sensitive information visible during the browser test.
The skill persists rich session traces and reports locally. Those files can contain sensitive web-page content or PII from the sites being tested.
**What trace files contain:** - Screenshots of every page visited - Full page content (HTML, text) - Browser actions and AI decisions
Run tests on non-production or sanitized sites when possible, review the generated logs/reports, and delete trace files after use if they contain sensitive content.