ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cypress Agent Skill

v0.1.0

Production-grade Cypress E2E and component testing — selectors, network stubbing, auth, CI parallelization, flake elimination, Page Object Model, and TypeScr...

0· 270·2 current·2 all-time
by@kahlilr23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Cypress E2E and component testing) match the files and instructions. Declared binaries (cypress or npx) and the npm install:cypress install step are appropriate and expected for this skill.
Instruction Scope
SKILL.md and the example/reference files are focused on writing and running Cypress tests. They show network stubbing (cy.intercept), API requests (cy.request), and examples referencing secrets via cy.env/CYPRESS_* and cypress.env.json. References/docs also mention cy.exec and cy.task (commands that can run shell tasks if tests register them). These are normal for test suites, but running the included examples may trigger requests to your app, seed/reset endpoints, or execute tasks if you wire them into Node tasks — so only run in a controlled environment.
Install Mechanism
Install is a standard npm package (cypress). No downloads from arbitrary personal servers or extract-from-URL installs are present in the manifest. README references a curl-based install.sh, but that script is not present in the supplied file manifest — a packaging/documentation inconsistency to note.
Credentials
The skill does not require any environment variables up front, which matches registry metadata. Example tests and custom commands, however, reference test credentials, API URLs, and test secrets (e.g., Cypress.env('apiUrl'), TEST_SECRET, admin/test user passwords). Those are proportionate to a testing skill but mean you should not supply production secrets to these examples; the skill will expect test-specific config when you run tests.
Persistence & Privilege
Skill is user-invocable, not always:true, and does not request to be force-enabled or modify other skills. It does not declare persistent privileged access to system configuration.
Assessment
This skill appears to be a legitimate Cypress test-authoring helper with example tests and helpers. Before installing or running anything: 1) Review the files locally — the README mentions an install.sh and other repo files that are not present in the provided manifest, so do not run any curl|bash commands you find online without verifying them. 2) Run tests only in a safe/test environment — example tests may call APIs (seed/reset endpoints), set cookies/localStorage, or (if you add Node tasks) execute shell commands via cy.exec/cy.task. 3) Provide only test credentials / test API URLs (do not reuse production secrets). 4) If you plan to allow an agent to run tests autonomously, be aware that tests can perform network requests to local endpoints and (when configured) run shell commands; limit the agent's execution scope and review test contents first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9735veh83ww52m7p6zq3erkyd82fzej

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧪 Clawdis
Any bincypress, npx

Install

Install Cypress (npm)npm i -g cypress

Comments