ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A.I Ventures Test Gen A.I Agent

v1.0.1

Analyzes a given URL and automatically generates comprehensive functional, UI, and boundary test cases.

0· 79·0 current·0 all-time
by@kushanlk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (analyze a URL and generate test cases) matches the idea of a DOM-extractor script. package.json lists playwright (a browser automation library) which is a reasonable dependency for this purpose. However, the critical implementation file analyze-dom.js is empty (0 bytes) so the skill as packaged cannot perform its stated function. There is no homepage or source provenance to justify the package or owner.
Instruction Scope
SKILL.md gives precise runtime instructions: run `node analyze-dom.js <URL>`, read JSON output, then generate test plans. Those instructions do not request unrelated files, env vars, or odd exfiltration endpoints. The problem is the instruction assumes a local script will produce JSON, but the script is missing—so the instructions are impossible to follow and may prompt an agent or user to obtain or execute unknown code.
Install Mechanism
There is no install specification (instruction-only), but package.json declares a dependency on playwright (^1.59.1). Playwright is a legitimate but heavyweight dependency (downloads browsers). The absence of an install step or documented provenance means a user/agent may need to fetch npm packages at runtime; this is not itself malicious but is an operational gap and increases risk if the missing script is later supplied from an unknown source.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to the stated purpose (web DOM analysis) and there are no apparent attempts to request unrelated secrets.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. It does not declare actions that modify other skills or system-wide settings. No persistence or elevated platform privileges are requested.
What to consider before installing
Do not run or install this skill as-is. The analyze-dom.js file is empty, so the package cannot perform its stated task — this is an implementation gap that could be benign (forgotten file) or a sign the real code is supplied later from an untrusted source. Before installing or running anything: 1) request the full analyze-dom.js source and review it for network calls, file I/O, and data exfiltration; 2) verify the package comes from a known author or repository (homepage/source control); 3) if you must test it, run it in an isolated sandbox with no access to sensitive files or credentials and with network egress restricted; 4) be aware playwright will download browsers if installed from npm—prefer installing dependencies from the official registry and reviewing package-lock files; 5) decline use if the author cannot provide source/provenance or if the script contains unexpected network endpoints or secret-accessing code.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cktzxj3sr2z87fevggajgs84bb06

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments