qa-browser-tester
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a real browser QA helper, but it can automatically install software, disable Chromium sandboxing, click every button, and submit every form on a site without clear safeguards against production or destructive actions.
Install or invoke this only for apps you are authorized to test, preferably staging environments with disposable test data and accounts. Do not aim it at production unless you first restrict the allowed domain, disable destructive actions, and approve form submissions and button clicks that could change real data.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a production app, the agent could submit forms, create test records, send messages, place orders, delete items, publish content, or trigger other real workflows.
The stated workflow intentionally performs broad browser actions. For QA this is expected, but without clear safeguards it can trigger destructive or state-changing actions on a real application.
perform exhaustive end-to-end QA testing of a web application — clicking every button, filling every form, navigating every menu
Use only against a staging or disposable test environment unless the agent is given strict limits, safe test credentials, and explicit approval before destructive or irreversible actions.
The test can cause unintended state changes in the target web application and may be hard to reverse afterward.
The provided QA script automatically clicks every visible button it finds and submits detected forms, with no filtering for dangerous labels such as delete, purchase, publish, invite, or send.
for i, btn in enumerate(btns): ... btn.click(timeout=4000) ... forms ... submit.click()
Add guardrails such as dry-run mode, same-origin checks, denylisted destructive actions, per-action confirmation for high-impact buttons/forms, and clear staging-only guidance.
The browser could leave the intended app through navigation links and interact with third-party pages, identity providers, admin portals, or other connected systems.
The navigation logic follows discovered hrefs but does not visibly restrict testing to the original BASE_URL origin before later clicking buttons and submitting forms on visited pages.
href = item.get("href", "") ... if not href or href in visited_urls or href.startswith("mailto") or href == "#": continue ... visited_urls.add(href)Restrict all navigation and form/button testing to the target origin or an explicit allowlist supplied by the user.
Installing may modify the host environment and depends on current upstream package contents.
The skill relies on live package installation and an unpinned bootstrap script. This is coherent with setting up Playwright, but it is not captured in an install spec and depends on external package sources at runtime.
pip3 install playwright python3 -m playwright install chromium curl https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py python3 /tmp/get-pip.py
Prefer a pinned container image or pinned dependency versions, and ask the user before modifying system packages.
Running the skill executes local automation code and can consume system resources or change the target web application through browser actions.
The skill is instruction-only but directs the agent/user to create and execute a local Python browser automation script. This is central to the skill purpose, but it is still local code execution.
Copy this entire script, set BASE_URL, and run it with: ```bash python3 /tmp/qa_test.py ```
Review the generated script and run it in an isolated container or test VM when possible.
Sensitive application data visible during testing may remain in /tmp/qa_screenshots after the run.
The skill stores screenshots of tested pages locally. This is expected for QA evidence, but screenshots can contain private page content, user data, or admin information.
Create screenshot directory: ```bash mkdir -p /tmp/qa_screenshots ``` ... ### SCREENSHOTS SAVED [list files in /tmp/qa_screenshots/]
Avoid using real user data during tests, review screenshot contents before sharing, and delete the screenshot directory when finished.