mission-control-visual-qa
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent visual-QA helper, but it uses SSH to run browser automation on a remote host and saves screenshots there.
Before installing, confirm you are comfortable with a skill that uses your SSH access to copy and run a Node/Puppeteer script on a remote machine. Use a least-privilege SSH account, test only authorized Mission Control URLs, and manage or delete saved screenshots if they contain sensitive information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will create files and execute the QA script on the selected remote machine.
The helper creates remote directories, copies the Node script, and executes it over SSH. This is disclosed and central to the skill, but it is still remote shell authority on the configured host.
ssh "${SSH_TARGET}" "mkdir -p ${REMOTE_RUN_DIR} ${OUTPUT_DIR}" ... scp "${LOCAL_SCRIPT_DIR}/${SCRIPT_NAME}" "${SSH_TARGET}:${REMOTE_RUN_DIR}/${SCRIPT_NAME}" ... ssh "${SSH_TARGET}" "cd ${REMOTE_RUN_DIR} && OUTPUT_DIR='${OUTPUT_DIR}' node ./${SCRIPT_NAME} ${quoted_args[*]}"Use only a trusted SSH target and account, and keep REMOTE_RUN_DIR and OUTPUT_DIR to simple trusted paths.
A malicious page would have less browser-level isolation on the remote host than with a sandboxed Chromium run.
The script loads supplied URLs in Chromium with sandboxing disabled. This can be common in automation, but it reduces isolation if an untrusted or compromised page is tested.
await page.goto(url, { waitUntil: 'networkidle2', timeout: 45000 }); ... args: ['--no-sandbox', '--disable-setuid-sandbox']Run it only against authorized Mission Control pages, and prefer enabling Chromium sandboxing on remote hosts that support it.
The commands run with whatever permissions the selected SSH account has on the remote machine.
The skill relies on the user's configured SSH identity for the target host. This is expected for remote QA, but it is delegated account access.
SSH_TARGET="${SSH_TARGET:-neill@<YOUR_REMOTE_HOST>}" ... ssh "${SSH_TARGET}" ... scp ...Use a least-privilege remote account and verify SSH_TARGET before running the skill.
The skill may fail or use whatever dependency versions are already installed on the remote host.
The metadata does not declare the runtime dependencies that the included scripts use, such as SSH/SCP locally and Node/Puppeteer/Chromium remotely. This is a setup transparency issue, not hidden execution.
Required binaries (all must exist): none ... Required env vars: none ... Install specifications: No install spec — this is an instruction-only skill.
Install Node, Puppeteer, and Chromium from trusted sources on the remote host and pin versions if reproducibility matters.
Private dashboard content could remain on the remote filesystem after the QA run.
The script persists full-page screenshots to a remote output directory. This is the intended QA output, but screenshots may capture sensitive Mission Control information.
const outputDir = process.env.OUTPUT_DIR || path.join(os.homedir(), '.openclaw/workspace/output/visual-qa'); ... await page.screenshot({ path: screenshotPath, fullPage: true });Store outputs in an access-controlled directory and delete screenshots when they are no longer needed.