Skillv1.0.0

ClawScan security

Web 测试用例生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 26, 2026, 3:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are internally consistent with a web-page test-case generator and do not request unexpected credentials or installs, though it will collect page structure/controls so users should avoid supplying sensitive pages and be aware of any platform browser tooling that exposes cookies or auth.
Guidance: This skill appears coherent for generating web UI test cases. Before using it: (1) only provide non-sensitive/test URLs — the skill will capture page structure and form contents; (2) verify how your platform's 'browser' tool handles authentication/cookies (it may expose session cookies or logged-in state to the skill); (3) if you intend to use the claimed export-to-docs features, ask how authentication is handled and do not supply production credentials unless you trust the implementation; (4) if provenance matters, request source code or a trusted homepage since the skill's source is unknown. A safe first step is to run it on a public, non-production page to confirm behavior.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the SKILL.md describes opening a URL, snapshotting the DOM/ARIA refs, identifying interactive elements and producing structured test cases (Markdown/CSV). There are no unrelated environment variables, binaries, or installs requested.
Instruction Scope: noteRuntime instructions tell the agent to open arbitrary URLs, capture snapshots of interactive elements, click and fill elements, and generate/export test-case files — all consistent with generating test cases. Note: capturing page snapshots and element refs can collect sensitive page content (forms, tokens visible in DOM). The skill also claims optional export to third‑party docs (金山/飞书) but provides no auth steps or declared env vars for those exports.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. It relies on the platform-provided 'browser' commands (assumed available) rather than downloading or installing packages.
Credentials: okNo environment variables, credentials, or config paths are requested. This is proportionate for an instruction-only generator that uses platform browser tooling. The only mild inconsistency is the SKILL.md mentioning exports to external doc services without declaring any required credentials or how they'd be provided.
Persistence & Privilege: okDefault privileges (always:false, user-invocable:true). The skill does not request persistent or elevated platform privileges and does not modify system/other-skill configs.