Skillv1.0.3

ClawScan security

Website Usability Testing using Nova Act · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 12, 2026, 7:40 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested config are internally consistent with a Nova Act–based website usability testing tool, though it captures sensitive page data and relies on the agent to avoid final destructive actions — so use in test/sandbox environments and review traces carefully.
Guidance: This skill is coherent for Nova Act–driven usability testing, but follow these precautions before using it: - Only run tests against non-production or isolated test environments (the tool records full HTML and screenshots and may capture PII). - Keep your Nova Act API key in ~/.openclaw/config/nova-act.json and treat it as a secret; do not check it into source control. Rotate the key if you suspect exposure. - Review safe_nova_wrapper and test-run the scripts locally to confirm the 'STOP before payment/posting/account creation' guardrails behave as you expect — the agent is still responsible for interpretation and could accidentally trigger final actions if mis-instructed. - Clean up or securely store the ./nova_act_logs/ and generated trace/report files after use (they contain page content and screenshots). Consider running inside a VM/container when testing untrusted sites. - Install dependencies from official sources (pip, Playwright) and verify package names match documentation (nova-act, pydantic, playwright). - Run a small dry-run on a benign site to validate behavior (trace locations, partial-report handling) before testing sensitive workflows. If you want more confidence, request a short audit of the safe_nova_wrapper and any code that decides when to stop before final actions; that will reduce the chance of accidental material effects.

Review Dimensions

Purpose & Capability: okThe name/description match the requested artifacts: python3, a Nova Act API key stored at ~/.openclaw/config/nova-act.json, and Playwright/nova-act packages. The skill exercises browser automation and report generation — the requested config and binaries are proportionate to that purpose.
Instruction Scope: noteRuntime instructions split collection (script) and interpretation/reporting (agent). The scripts read the declared config path and write local trace files with full page HTML and screenshots. This is expected for a usability tool, but the agent is responsible for marking goal_achieved/overall_success and for ensuring final-impact actions (payments, posting, account creation) are not executed. Because interpretation and final decisions are delegated to the agent, accidental material actions are possible if the agent or orchestration is misconfigured.
Install Mechanism: okNo automatic install spec is included; README/SKILL.md recommend installing packages via pip and Playwright. That is normal and avoids automatic downloads from arbitrary URLs. Playwright browser install (~300MB) is expected for real browser automation.
Credentials: okThe skill requires a single service credential (Nova Act API key) stored at the declared config path. The code sets NOVA_ACT_API_KEY from that file; no unrelated credentials or broad system secrets are requested.
Persistence & Privilege: okalways:false and no special platform privileges are requested. The skill writes trace/log files into the working directory and uses an expected config path. It registers signal/atexit handlers to emit partial reports but does not attempt to modify other skills or global agent config.