Qa
Security checks across malware telemetry and agentic risk
Overview
This QA skill is purpose-aligned, but it gives the agent broad authority to submit forms and change code, so it should be used only in controlled test environments with review.
Before using this skill, point it at a staging environment or test account, confirm that form submissions are safe, and run it on a clean feature branch. Review all screenshots, reports, diffs, and commits before pushing, merging, or deploying anything.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against a production or real account, the agent could submit forms, change records, trigger workflows, or perform other actions while testing.
This authorizes broad browser actions, including form submissions. The provided instructions do not show confirmation or containment before potentially destructive or live-data-changing actions.
Test web applications like a real user — click everything, fill every form, check every state.
Use this only on staging or test accounts by default, and instruct the agent to ask before destructive actions, purchases, sends, deletes, or other irreversible submissions.
The skill may alter your local codebase and Git history during normal use.
Changing source code and committing fixes is central to the skill's purpose and is clearly disclosed, but it creates persistent repository changes.
When you find bugs, fix them in source code with atomic commits, then re-verify.
Run it on a clean feature branch and review every diff and commit before pushing, merging, or deploying.
Providing real credentials or session cookies could let the agent act as that account while testing.
The skill may use user-supplied credentials or a cookie file for authenticated QA. This is purpose-aligned, and the instructions also say to redact passwords, but it still involves sensitive account access.
| Auth | None | credentials or cookie file |
Prefer dedicated test accounts with limited permissions, avoid production cookies when possible, and ensure reports or screenshots do not expose secrets.