Cypress Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This Cypress testing skill is mostly coherent, but users should review it because it includes risky install, database reset, and secret-handling examples without enough guardrails.

Install through ClawHub/OpenClaw or a reviewed pinned source instead of the README curl-to-bash command. Use the auth, CI secret, database reset, and file deletion examples only in isolated test environments with test-only credentials, protected CI secrets, validated paths, and explicit guards that prevent staging or production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The skill presents nonstandard or likely inaccurate security guidance about secret handling APIs as authoritative, which can cause agents or users to write insecure or broken test code. Misstating how secrets are exposed, serialized, or protected is dangerous because it can create a false sense of safety and lead to credential leakage or incorrect configuration decisions.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The file advertises `cy.prompt()` and 'Cypress AI' as usable capabilities without clear proof they exist or are enabled in the described setup. In an agent skill, this can mislead automation into relying on imaginary or experimental behavior, causing unsafe fallback behavior, brittle test generation, or unauthorized use of AI-driven self-healing features.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The reference includes Node-side Cypress tasks that can seed, truncate, and arbitrarily query a database. In a testing skill this is plausible, but exposing a generic `queryDatabase(sql)` capability and destructive reset operations broadens the skill beyond normal browser automation and can enable dangerous actions if an agent reuses the pattern against a non-test database.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README explicitly instructs users to execute a remote installer via `bash <(curl -fsSL ...)`, which causes fetched shell code to run immediately without prior inspection, pinning, or integrity verification. In a skill intended for AI agents and developers, this is especially risky because users may copy-paste it reflexively, and a compromised GitHub account, repo, branch, or network path could turn installation into arbitrary code execution.

Missing User Warnings

Medium

Confidence: 74% confidence
Finding: The authentication examples include credentials, token storage, and session handling patterns without explicit warnings that they must be limited to test environments and protected secret sources. In an agent-consumable skill, this increases the chance that real credentials get hardcoded, logged, or persisted insecurely in browser storage and test artifacts.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The CI and environment variable sections show secret injection patterns but do not sufficiently warn about leakage through build logs, screenshots, artifacts, committed files, or browser-visible state. Because this skill is intended for agent use, omission of these guardrails can directly normalize unsafe secret-handling practices in pipelines.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly shows passing sensitive values such as `apiKey=abc123` and `--key your-record-key` on the command line without warning that CLI arguments may be exposed via shell history, process listings, CI logs, and audit tooling. In a testing/CI skill, users are likely to copy these examples directly, so the omission can lead to accidental credential disclosure even though the example itself is not executable malware.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The example deletes the configured downloads directory recursively with `fs.rmSync(..., { recursive: true })` without any warning or path validation. In context this is meant to clean test artifacts, but if copied carelessly or paired with a misconfigured path it could delete unintended files on the host running Cypress.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The examples demonstrate `resetDatabase()` via truncation and direct SQL querying without prominent safety constraints. While common in E2E test setups, these patterns are dangerous if applied outside isolated test infrastructure because they normalize destructive database access and could lead an agent or user to wipe or inspect real data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal