user-test-toolkit
v4.0.0为Vibe Coding页面无侵入自动采集用户操作轨迹及行为,支持嵌入任务引导、微问卷和多项标准量表,适用可用性测试与用户研究。
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description promise (non‑intrusive automatic collection of interaction traces + embedded surveys for usability testing) aligns with the included tracker.js and survey.js files: they record clicks, scrolls, focus, file selections, JS errors, milestones, and show in-situ surveys. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md limits runtime actions to injecting tracker.js/survey.js into web pages and configuring TRACKER_CONFIG.endpoint and SURVEY_CONFIG. survey.js only activates when URL parameters (mode/test + uid) are present. However the code captures a broad set of details (element text up to 50 chars, file names and sizes, JS error messages, URL/referrer, click coordinates, and it rewrites same-origin links to append uid/test parameters). These behaviors are coherent with usability testing but increase privacy/sensitivity of collected data — the docs do not explicitly warn about collecting filenames or visible text content.
Install Mechanism
No install spec or external downloads; the skill is delivered as JS assets bundled in the package. Nothing is fetched from untrusted URLs at install time, so disk-write/remote‑download risks are low.
Credentials
The skill requests no environment variables or credentials. All external communication goes to the endpoint the integrator must set (TRACKER_CONFIG.endpoint). That is proportionate to the stated purpose, but it means trust/verification of the configured endpoint is critical since arbitrary data is posted there.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It persists minimal state only in sessionStorage under a key tied to uid. It does not modify other skills or global agent config.
Assessment
This skill behaves as an analytics/survey library and will collect and POST detailed interaction data to whatever endpoint you configure. Before installing: 1) Verify and control the receiving endpoint (TRACKER_CONFIG.endpoint) — only point it to servers you trust. 2) Review the tracker code carefully for any fields you must not capture on your site (it records element text, click coords, filenames, JS error messages and rewrites same-origin links to add uid/test params). 3) Do not enable it on pages that handle sensitive personal data (logins, payments) unless you have explicit consent and proper data handling in place. 4) Consider setting TRACKER_CONFIG.disabled=true during initial tests, and audit server-side storage/retention and compliance (privacy/GDPR). 5) Because the package origin is unknown and there's no homepage, prefer to vet the bundled JS or use a library from a verified source if you need stronger provenance guarantees.Like a lobster shell, security has layers — review code before you run it.
latestvk9761a3sn6xpc96w6kgrjfd94h850yw5surveyvk9773f5c0hezake2c5fjm2ssn585178ctrackervk9773f5c0hezake2c5fjm2ssn585178cusabilityvk9773f5c0hezake2c5fjm2ssn585178cuser-testingvk9773f5c0hezake2c5fjm2ssn585178cweb-analyticsvk9773f5c0hezake2c5fjm2ssn585178c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.