Billy — Mission Control Visual QA
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: billy-mission-control-visual-qa Version: 0.1.3 The skill is classified as suspicious due to several risky capabilities, even though they align with its stated purpose. The `scripts/mission-control-visual-qa.js` script uses Puppeteer with the `--no-sandbox` and `--disable-setuid-sandbox` arguments, which significantly reduces the security posture of the remote browser execution. Furthermore, critical parameters like `SSH_TARGET`, `REMOTE_RUN_DIR`, `OUTPUT_DIR` in `scripts/run-mission-control-visual-qa.sh`, and `CHROMIUM_PATH` in `scripts/mission-control-visual-qa.js` are configurable via environment variables. While this offers flexibility, it also presents a significant vulnerability if an attacker can manipulate these environment variables, potentially leading to arbitrary code execution (via `CHROMIUM_PATH`), redirection of SSH connections, or writing files to arbitrary locations on the remote host. There is no evidence of intentional malicious behavior, data exfiltration, or prompt injection against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes commands on the configured remote SSH account and writes files there.
The skill intentionally uses SSH/SCP and remote shell execution to copy and run the QA script. This is disclosed and purpose-aligned, but it is a powerful operation and the configurable remote path values should be treated as trusted inputs.
ssh "${SSH_TARGET}" "mkdir -p ${REMOTE_RUN_DIR} ${OUTPUT_DIR}"
scp "${LOCAL_SCRIPT_DIR}/${SCRIPT_NAME}" "${SSH_TARGET}:${REMOTE_RUN_DIR}/${SCRIPT_NAME}"
ssh "${SSH_TARGET}" "cd ${REMOTE_RUN_DIR} && OUTPUT_DIR='${OUTPUT_DIR}' node ./${SCRIPT_NAME} ${quoted_args[*]}"Use it only with an SSH target and directory values you trust, and review the exact URLs and environment variables before running.
The skill may use your existing SSH configuration or agent credentials to access the SAPCONET host.
The skill depends on SSH access to a named remote account/host, but the registry metadata does not declare a primary credential. The access is disclosed and central to the purpose, so this is a notice rather than a concern.
via SSH (Neill machine `100.110.24.44`) Optional env vars: - `SSH_TARGET` (default: `neill@100.110.24.44`)
Install or run it only if you are authorized to use that SSH account and understand which key/account your SSH client will use.
The skill may fail or use whatever Puppeteer/Chromium installation already exists on the remote host.
The runnable script requires Puppeteer and Chromium on the remote host, while the registry says there are no required binaries or install spec. This is an under-declared dependency/provenance issue, not evidence of malicious behavior.
puppeteer = require('puppeteer');
...
console.error('Missing dependency: puppeteer. Install on SAPCONET host.');
...
executablePath: process.env.CHROMIUM_PATH || '/usr/bin/chromium'Verify the remote Node, Puppeteer, and Chromium installations are trusted and compatible before running the skill.
A malicious page loaded through the remote browser could have a higher impact on the SAPCONET host than it would in a sandboxed browser.
Launching Chromium is expected for visual QA, but disabling the browser sandbox reduces isolation if an untrusted or compromised page is loaded.
const browser = await puppeteer.launch({
headless: true,
executablePath: process.env.CHROMIUM_PATH || '/usr/bin/chromium',
args: ['--no-sandbox', '--disable-setuid-sandbox'],
});Use this only for trusted, authorized Mission Control pages, and consider enabling browser sandboxing if the remote environment supports it.
Screenshots or page metadata could remain on the SAPCONET host after the QA run and may expose information visible in the browser.
The skill stores screenshots and DOM-derived summaries in a persistent workspace directory. These outputs may capture sensitive UI content from Mission Control pages.
Default output path is `~/.openclaw/workspace/output/visual-qa/` on SAPCONET. ... On SAPCONET host, each URL produces: - `*.png` screenshot - basic DOM result
Review and clean the output directory when needed, and avoid running against pages that display secrets or private data unless storage there is acceptable.