Cypress Agent Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Cypress testing skill, with some expected but sensitive testing patterns users should keep scoped to test environments.
This skill looks appropriate for Cypress test development. Before installing or copying examples, verify any remote installer source, use only test credentials and test databases, and avoid pointing reset or auth helpers at production services.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows that optional installer from an unverified source, they could run unreviewed shell code on their machine.
The README offers an optional remote shell installer from a placeholder GitHub source, while the provided manifest does not include install.sh. This is user-directed, but users should verify any remote script before running it.
bash <(curl -fsSL https://raw.githubusercontent.com/YOUR_USERNAME/cypress-agent-skill/main/install.sh)
Prefer the registry install or a verified repository, and inspect any install.sh script before executing curl-to-bash commands.
A copied test helper could mutate or reset backend data if misconfigured.
The skill provides a template for backend test reset operations. This is common for Cypress test suites, but it can be high-impact if pointed at a non-test environment.
Cypress.Commands.add('resetDatabase', () => { cy.request({ method: 'POST', url: `${Cypress.env('apiUrl')}/test/reset`, headers: { 'x-test-secret': Cypress.env('TEST_SECRET') } }) })Use these helpers only against isolated test environments, require test-only secrets, and add safeguards that block production URLs.
Test credentials or cached sessions could be reused beyond a single test if users configure them with real accounts.
The auth examples intentionally use test credentials and cache sessions across specs, which is expected for Cypress auth testing but involves delegated account access and persistent test session state.
cy.env(['testUserEmail', 'testUserPassword']).then(({ testUserEmail, testUserPassword }) => { cy.session(['ui-login', testUserEmail], ... { cacheAcrossSpecs: true }) })Use dedicated low-privilege test accounts, avoid production credentials, and clear Cypress sessions when tests finish or when switching environments.