Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Qa Bot
v0.1.3AI-powered automated QA for web apps. Smoke tests, accessibility, visual regression. Works with Cursor, Claude, ChatGPT, Copilot. Vibe-coding ready.
⭐ 0· 1.8k·1 current·1 all-time
byNext Frontier AI@nextfrontierbuilds
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (web QA, smoke tests, accessibility, visual regression) align with the included source files (QABot, Browser wrapper, assertions, CLI). The code calls an external agent-browser CLI for browser control which is expected for this purpose.
Instruction Scope
SKILL.md instructs installing the package and agent-browser, using CLI commands (smoke, run, report) and programmatic API. It does not request unrelated environment variables or direct the agent to read system secrets; runtime instructions focus on browser automation and reporting.
Install Mechanism
The skill has no formal install spec in the registry but SKILL.md recommends npm install -g web-qa-bot and installing agent-browser. The package files are TypeScript sources (src/) but the CLI bin points at dist/cli.js — that may cause runtime problems if the package is distributed without a built dist. Also the peer dependency agent-browser has an install script and playwright-core is present in the lockfile; those can download browser binaries and run install-time actions. This is expected for a browser automation tool but worth noting.
Credentials
The skill declares no required environment variables or credentials and the code does not reference secrets or unrelated config paths. It interacts with local filesystem for screenshots and reads/writes test/report files — appropriate for its purpose.
Persistence & Privilege
Skill is not force-included (always: false). It does not request to modify other skills or system-wide agent settings. It launches or connects to browsers but limits actions to CLI calls and local files.
Assessment
This package appears coherent for automated web QA, but check a few practical points before installing or running it:
- agent-browser and Playwright: The tool relies on the agent-browser CLI (peer dependency) and the lockfile references playwright-core; those packages may run install scripts and download browser binaries. That is normal for browser automation but expect large downloads and install-time activity.
- Build/distribution mismatch: The repository content contains TypeScript source (src/) while the CLI bin refers to dist/cli.js. If you install a published package, verify the package includes a built dist/ directory; otherwise the CLI may fail to run.
- File system and browser access: The tool writes screenshots and report files to disk and launches/controls browser instances. Do not point it at sensitive internal systems or provide secrets in test files unless you trust the package source.
- PDF/reporting dependencies: SKILL.md mentions ai-pdf-builder and LaTeX for PDF export; those are not listed as direct dependencies — you may need to install extra tooling to generate PDFs.
- Verify origin: The skill metadata lists a repo and npm name. If you plan to use this in production, verify the package on npm/GitHub (authors, recent releases, checksums) to avoid typosquat or forged packages.
If you want, I can: (a) scan the omitted source files for any network endpoints or suspicious code paths, (b) check for any hard-coded URLs/credentials inside all files, or (c) produce a short checklist to safely run the first smoke test in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97e68fjjazjp73ym3frmk7psd80ytek
License
MIT-0
Free to use, modify, and redistribute. No attribution required.