ClawHub

Cypress

Security checks across malware telemetry and agentic risk

Overview

This Cypress testing skill is purpose-aligned and not malicious, but users should be careful with CI artifacts and optional Cypress Cloud recording because test output can contain sensitive data.

Install this only for repositories where Cypress testing is intended. Before copying the CI examples, review whether screenshots, videos, logs, fixtures, test credentials, internal URLs, or Cypress Cloud recordings could expose sensitive information; use sanitized test data, restrict artifact access, limit retention, and disable recording or media capture for sensitive suites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow uploads Cypress screenshots as CI artifacts on failure without warning that captured UI state may contain sensitive application data, test credentials, tokens, or personal information visible to anyone with artifact access. In a testing/CI skill, this is a realistic privacy and data-exposure risk because screenshots often reflect real rendered pages and are retained for later download.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The parallel testing example enables Cypress Dashboard recording and passes a record key, but does not disclose that run metadata, logs, and results are sent to an external third-party service. This is dangerous because users may unknowingly export potentially sensitive test information outside their CI boundary, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The GitLab CI example stores screenshots and videos as failure artifacts without warning about retention or access control. These artifacts can expose sensitive UI data, seeded test records, or internal application details to anyone who can browse project artifacts or to systems that replicate CI outputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CircleCI example stores Cypress screenshots and videos as artifacts with no note about possible exposure of captured application content. In E2E testing contexts, these files frequently include account data, internal URLs, or failure states that should not be broadly retained or shared.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The best-practices section says to always save screenshots and videos on failure, which normalizes broad retention of potentially sensitive test output without mentioning privacy, secrecy, or compliance tradeoffs. Because this is presented as general guidance in a CI-focused Cypress skill, readers may adopt it widely and unintentionally increase the exposure surface of test data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal