Cypress
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing Cypress can modify package files and run package-provided setup behavior in the project.
The setup instructions install and run Cypress from the npm ecosystem. This is central to the skill's purpose, but it is still third-party tooling executed in the user's project.
npm install -D cypress npx cypress open # First run creates folder structure
Run these commands only in the intended project, review package.json/package-lock changes, and prefer normal dependency review practices.
If copied without review, CI jobs may receive credentials or recording keys that should be scoped to testing use.
The CI template uses repository secrets and a GitHub token for recorded/parallel Cypress runs. This is expected for CI integration but involves delegated credentials.
env:
CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Use least-privilege CI secrets, avoid production credentials in tests, and review CI permissions before enabling recording or parallel runs.
Project conventions or preferences could be reused across future Cypress work if the optional memory file is created.
The skill optionally suggests persistent cross-project memory. It is disclosed and limited to project patterns, but persistent memory can retain information beyond a single task.
If tracking Cypress patterns across multiple projects, create `~/cypress/memory.md`:
Keep memory optional, avoid storing secrets or sensitive project details, and review any cross-project notes before reuse.